Bugzilla – Bug 936058
VUL-1: CVE-2015-4695: libwmf: meta_pen_create heap buffer over read
Last modified: 2016-03-10 10:02:25 UTC
CVE-2015-4695 reported to debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 There is an invalid read inside meta.h file in several lines. To identify the issue I used ASAN + afl fuzzer. I'm attaching two fuzzed files that generate the invalid read and a patch that seems to be working for me. After applying it, ASAN no longer complains. $ /home/fmunozs/ramdisk/wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts bug2.wmf ================================================================= ==19295==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3b03400 at pc 0x8197102 bp 0xbfd3e038 sp 0xbfd3e028 READ of size 4 at 0xb3b03400 thread T0 #0 0x8197101 in meta_font_create player/meta.h:3291 #1 0x8197101 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1080 #2 0x81a5ac0 in wmf_scan /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:150 #3 0x804baa8 in wmf2svg_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:129 #4 0x804f1c5 in wmf2svg_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:439 #5 0x804ac78 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:458 #6 0xb6e9a72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #7 0x804b36e (/home/fmunozs/ramdisk/wmf2svg+0x804b36e) 0xb3b03400 is located 0 bytes to the right of 144-byte region [0xb3b03370,0xb3b03400) allocated by thread T0 here: #0 0xb727518c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80d7558 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-buffer-overflow player/meta.h:3291 meta_font_create Shadow bytes around the buggy address: 0x36760630: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x36760640: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x36760650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x36760660: 00 00 00 00 00 02 fa fa fa fa fa fa fa fa 00 00 0x36760670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36760680:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36760690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367606a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367606b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367606c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367606d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==19295==ABORTING References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4695 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4695.html
Created attachment 639094 [details] fuzz1.patch patch attached to bug
Created attachment 639095 [details] fuzzed.tar.gz tarball with 2 fuzzed files
seems to be an single element overread only. reduce severity
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62147
This is an autogenerated message for OBS integration: This bug (936058) was mentioned in https://build.opensuse.org/request/show/314481 13.2 / libwmf https://build.opensuse.org/request/show/314482 13.1 / libwmf
This is an autogenerated message for OBS integration: This bug (936058) was mentioned in https://build.opensuse.org/request/show/314670 Factory / libwmf https://build.opensuse.org/request/show/314672 13.1 / libwmf https://build.opensuse.org/request/show/314673 13.2 / libwmf
openSUSE-SU-2015:1212-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: openSUSE 13.2 (src): libwmf-0.2.8.4-239.7.1 openSUSE 13.1 (src): libwmf-0.2.8.4-234.7.1
SUSE-SU-2015:1378-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 831299,933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1
released
SUSE-SU-2015:1484-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 495842,831299,933109,936058,936062 CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Software Development Kit 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Desktop 12 (src): libwmf-0.2.8.4-242.3