Date: Wed, 17 Jun 2015 01:09:26 -0500 From: Fernando Muñoz <fernando@...l-life.com> To: oss-security@...ts.openwall.com, scorneli@...hat.com Subject: Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 Stefan, There are two additionals invalid read issues inside libwmf, I submitted both to Debian a while ago, I don't know if they are worth to fix on a security update. One of them has a patch by me (not heavily tested though) invalid read on meta_pen_create player/meta.h (+ patch) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 wmf2gd/wmf2eps invalid read https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 Thanks. On Wed, Jun 3, 2015 at 6:10 AM, Stefan Cornelius <scorneli@...hat.com> wrote: > On Mon, 1 Jun 2015 03:06:57 -0500 > Fernando Muñoz <fernando@...l-life.com> wrote: > >> libwmf is affected by a heap overflow on the function that decodes >> BMP images. >> >> WMF files may contain both vector graphics and bitmap components. With >> the attached WMF file, the issue can be reproduced, an overflow >> happens because image_size gets a value of 32, that space is used to >> allocate data->image >> > > There's another issue related to the RLE decoding. DecodeImage() does > not check that the run-length "count" fits into the total size of the > image, which can lead to a heap-based buffer overflow. I've not > assigned a CVE ID to this (mainly because I'm not sure if this > warrants a new CVE or should be bundled with CVE-2015-0848, so I leave > that up to the CVE experts on the list). > > We have some possible fixes in our bug , but be cautious - these are > not fully vetted yet. So far, however, they look fine to me. > >  https://bugzilla.redhat.com/show_bug.cgi?id=1227243 > -- > Stefan Cornelius / Red Hat Product Security > > Come talk to Red Hat Product Security at the Summit! > Red Hat Summit 2015 - https://www.redhat.com/summit/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ