Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Jun 2015 01:09:26 -0500
From: Fernando Muñoz <>
Subject: Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7


There are two additionals invalid read issues inside libwmf, I
submitted both to Debian a while ago, I don't know if they are worth
to fix on a security update. One of them has a patch by me (not
heavily tested though)

invalid read on meta_pen_create player/meta.h (+ patch)

wmf2gd/wmf2eps invalid read


On Wed, Jun 3, 2015 at 6:10 AM, Stefan Cornelius <> wrote:
> On Mon, 1 Jun 2015 03:06:57 -0500
> Fernando Muñoz <> wrote:
>> libwmf is affected by a heap overflow on the function that decodes
>> BMP images.
>> WMF files may contain both vector graphics and bitmap components. With
>> the attached WMF file, the issue can be reproduced, an overflow
>> happens because image_size gets a value of 32, that space is used to
>> allocate data->image
> There's another issue related to the RLE decoding. DecodeImage() does
> not check that the run-length "count" fits into the total size of the
> image, which can lead to a heap-based buffer overflow. I've not
> assigned a CVE ID to this (mainly because I'm not sure if this
> warrants a new CVE or should be bundled with CVE-2015-0848, so I leave
> that up to the CVE experts on the list).
> We have some possible fixes in our bug [1], but be cautious - these are
> not fully vetted yet. So far, however, they look fine to me.
> [1]
> --
> Stefan Cornelius / Red Hat Product Security
> Come talk to Red Hat Product Security at the Summit!
> Red Hat Summit 2015 -

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ