Bugzilla – Bug 933109
VUL-1: CVE-2015-0848,CVE-2015-4588: libwmf: CVE-2015-0848 - Heap overflow on libwmf0.2-7
Last modified: 2016-03-10 10:02:05 UTC
Created attachment 636215 [details] reproducer Via oss-sec http://seclists.org/oss-sec/2015/q2/597 libwmf is affected by a heap overflow on the function that decodes BMP images. WMF files may contain both vector graphics and bitmap components. With the attached WMF file, the issue can be reproduced, an overflow happens because image_size gets a value of 32, that space is used to allocate data->image src/ipa/ipa/bmp.h, function ReadBMPImage: 1129 image_size = bytes_per_line * bmp->height; 1131 data->image = (unsigned char*) wmf_malloc (API,image_size); 1147 DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); Inside DecodeImage we have: DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) 874 for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; But bmp->width * bmp->height has a value of 64, and a write out of bounds takes place. $ wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts bmpoverflow.wmf <partial svg output> *** Error in `wmf2svg': free(): invalid next size (fast): 0x091584b8 *** ASAN enabled libwmf/wmf2svg shows the problem: $ ./src/convert/wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts bmpoverflow.wmf <partial svg output> ==3400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c268b0 at pc 0x807093e bp 0xbfc3cee8 sp 0xbfc3ced8 WRITE of size 1 at 0xb5c268b0 thread T0 #0 0x807093d in DecodeImage ../../src/ipa/ipa/bmp.h:874 #1 0x807093d in ReadBMPImage ../../src/ipa/ipa/bmp.h:1147 #2 0x807093d in wmf_ipa_bmp_read ../../src/ipa/ipa/bmp.h:477 #3 0x815f013 in meta_dib_brush player/meta.h:2187 #4 0x815f013 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:922 #5 0x81a5ff5 in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323 #6 0x804c583 in wmf2svg_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:208 #7 0x804f2c5 in wmf2svg_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:439 #8 0x804ad78 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:458 #9 0xb6efc72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #10 0x804b46e (/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg+0x804b46e) 0xb5c268b0 is located 0 bytes to the right of 32-byte region [0xb5c26890,0xb5c268b0) allocated by thread T0 here: #0 0xb72d718c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80d74a8 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 This causes a Denial of Service, or could cause code execution since the DecodeImage writes the data of the run-length decoded image to data->image. The attached file was fuzzed with lcamtuf's afl fuzzer. =========== No patch available just now. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0848 http://seclists.org/oss-sec/2015/q2/597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
bugbot adjusting priority
RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1227243 Untested fix 1 at RH: https://bugzilla.redhat.com/attachment.cgi?id=1033697 Add-on from http://seclists.org/oss-sec/2015/q2/617 > There's another issue related to the RLE decoding. DecodeImage() does > not check that the run-length "count" fits into the total size of the > image, which can lead to a heap-based buffer overflow. I've not > assigned a CVE ID to this (mainly because I'm not sure if this > warrants a new CVE or should be bundled with CVE-2015-0848, so I leave > that up to the CVE experts on the list). Untested fix 2 at RH: https://bugzilla.redhat.com/attachment.cgi?id=1034253
This is an autogenerated message for OBS integration: This bug (933109) was mentioned in https://build.opensuse.org/request/show/311550 Factory / libwmf https://build.opensuse.org/request/show/311551 13.1 / libwmf https://build.opensuse.org/request/show/311552 13.2 / libwmf
http://seclists.org/oss-sec/2015/q2/719 > here's another issue related to the RLE decoding. DecodeImage() does > not check that the run-length "count" fits into the total size of the > image, which can lead to a heap-based buffer overflow. I've not > assigned a CVE ID to this (mainly because I'm not sure if this > warrants a new CVE or should be bundled with CVE-2015-0848 Use CVE-2015-4588 for this new issue. (The two issues were disclosed at different times by different persons. CVE-2015-0848 is about a missing bits-per-pixel factor in a calculation. CVE-2015-4588 is about a loop that can proceed past the end of its output array.) This should be added to libwmf-0.2.8.4-badrle.patch in the changelog.
(In reply to Andreas Stieger from comment #6) > Use CVE-2015-4588 for this new issue. (The two issues were disclosed > at different times by different persons. CVE-2015-0848 is about a > missing bits-per-pixel factor in a calculation. CVE-2015-4588 is about > a loop that can proceed past the end of its output array.) > This should be added to libwmf-0.2.8.4-badrle.patch in the changelog. Done and resubmitted as the previous notification already said.
openSUSE-SU-2015:1132-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 933109 CVE References: CVE-2015-0848,CVE-2015-4588 Sources used: openSUSE 13.2 (src): libwmf-0.2.8.4-239.4.1
openSUSE-SU-2015:1134-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 495842,831299,892356,933109 CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588 Sources used: openSUSE 13.1 (src): libwmf-0.2.8.4-234.4.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62147
openSUSE-SU-2015:1212-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: openSUSE 13.2 (src): libwmf-0.2.8.4-239.7.1 openSUSE 13.1 (src): libwmf-0.2.8.4-234.7.1
SUSE-SU-2015:1378-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 831299,933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1
released
SUSE-SU-2015:1484-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 495842,831299,933109,936058,936062 CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Software Development Kit 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Desktop 12 (src): libwmf-0.2.8.4-242.3