[Secure-testing-team] Bug#526434: CVE-2009-1364 libwmf: embedded gd use-after-free error

[Giuseppe Iuculano]

Package: libwmf
Version: 0.2.8.4-6
Severity: serious
Tags: security patch

Hi,

redhat recently patched libwmf.

CVE-2009-1364 is still reserved, but is disclosed in RHSA-2009:0457-1[0]

A pointer use-after-free flaw was found in the GD graphics library embedded
in libwmf. An attacker could create a specially-crafted WMF file that would
cause an application using libwmf to crash or, potentially, execute
arbitrary code as the user running the application when opened by a victim.
(CVE-2009-1364)

Note: This flaw is specific to the GD graphics library embedded in libwmf.
It does not affect the GD graphics library from the "gd" packages, or
applications using it.


Attached the trivial patch to fix this issue, but probably libwmf should not use
embedded gd, system gd should be used instead.




[0]http://rhn.redhat.com/errata/RHSA-2009-0457.html

Cheers,
Giuseppe.
-------------- next part --------------
--- src/extra/gd/gd_clip.c.old	2001-03-28 11:37:29.000000000 +0200
+++ src/extra/gd/gd_clip.c	2009-05-01 10:02:04.000000000 +0200
@@ -70,6 +70,7 @@
 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
 		if (more == 0) return;
 		im->clip->max += 8;
+		im->clip->list = more;
 	}
 	im->clip->list[im->clip->count] = (*rect);
 	im->clip->count++;