Bugzilla – Bug 936062
VUL-1: CVE-2015-4696: libwmf: wmf2gd/wmf2eps use after free
Last modified: 2016-03-10 10:02:45 UTC
CVE-2015-4696 via debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 When recompiling libwmf-bin and enabling ASAN, trying to use it with one of the examples provided in the package (cell.wmf) a heap-use-after-free is reported. The same cell.wmf can be used in wmf2svg without any warning. $ /home/fmunozs/ramdisk/wmf2gd --wmf-fontdir=/usr/share/fonts/type1/gsfonts examples/cell.wmf ================================================================= ==10173==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5208670 at pc 0x805d0bc bp 0xbfc07688 sp 0xbfc07678 READ of size 4 at 0xb5208670 thread T0 #0 0x805d0bb in gd_translate_ft64 ../../src/ipa/xgd/device.h:241 #1 0x805d0bb in gd_translate ../../src/ipa/xgd/device.h:230 #2 0x805d0bb in wmf_gd_region_clip ../../src/ipa/xgd/region.h:112 #3 0x818ebb0 in meta_dc_restore player/meta.h:2598 #4 0x818ebb0 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1161 #5 0x81b4bdd in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323 #6 0x805097a in wmf2gd_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:191 #7 0x805097a in wmf2gd_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:410 #8 0x804abf8 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:429 #9 0xb6f4472d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #10 0x804b2ee (/home/fmunozs/ramdisk/wmf2gd+0x804b2ee) 0xb5208670 is located 0 bytes inside of 8-byte region [0xb5208670,0xb5208678) freed by thread T0 here: #0 0xb731ef06 in __interceptor_free (/usr/lib/i386-linux-gnu/libasan.so.1+0x50f06) #1 0x80ea7db in wmf_free /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:582 previously allocated by thread T0 here: #0 0xb731f18c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80e43e8 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-use-after-free ../../src/ipa/xgd/device.h:241 gd_translate_ft64 Shadow bytes around the buggy address: 0x36a41070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a410a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a410b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36a410c0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa[fd]fa 0x36a410d0: fa fa 00 04 fa fa fd fa fa fa fd fa fa fa 00 fa 0x36a410e0: fa fa 06 fa fa fa 00 fa fa fa 00 fa fa fa fd fd 0x36a410f0: fa fa 00 04 fa fa 00 04 fa fa 00 fa fa fa fd fa 0x36a41100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==10173==ABORTING $ /home/fmunozs/ramdisk/wmf2eps --wmf-fontdir=/usr/share/fonts/type1/gsfonts examples/cell.wmf %!PS-Adobe-2.0 EPSF-2.0 %%BoundingBox: 0 0 1025 1025 save gsave 0 1025 translate 1 -1 scale 0.066498 0.066498 translate 1.000847 1.000847 scale gsave % begin clip grestore % end clip gsave % begin clip [ 0.000000 -0.000000 1024.000000 1024.000000 ] rectclip gsave % wmf_[eps_]draw_rectangle newpath 0.000000 -0.000000 moveto 0.000000 1024.000000 lineto 1024.000000 1024.000000 lineto 1024.000000 -0.000000 lineto closepath 1.000000 1.000000 1.000000 setrgbcolor fill grestore grestore % end clip gsave % begin clip [ ================================================================= ==32161==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5108654 at pc 0x80588a1 bp 0xbff325e8 sp 0xbff325d8 READ of size 4 at 0xb5108654 thread T0 #0 0x80588a0 in wmf_eps_region_clip ../../src/ipa/eps/region.h:136 #1 0x818c810 in meta_dc_restore player/meta.h:2598 #2 0x818c810 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1161 #3 0x81b283d in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323 #4 0x8050023 in wmf2eps_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:216 #5 0x8050023 in wmf2eps_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:456 #6 0x804ac70 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:475 #7 0xb6e6e72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #8 0x804b33e (/home/fmunozs/ramdisk/wmf2eps+0x804b33e) 0xb5108654 is located 4 bytes inside of 8-byte region [0xb5108650,0xb5108658) freed by thread T0 here: #0 0xb7248f06 in __interceptor_free (/usr/lib/i386-linux-gnu/libasan.so.1+0x50f06) #1 0x80e843b in wmf_free /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:582 previously allocated by thread T0 here: #0 0xb724918c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80e2048 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-use-after-free ../../src/ipa/eps/region.h:136 wmf_eps_region_clip Shadow bytes around the buggy address: 0x36a21070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a210a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a210b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36a210c0: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa fd fa 0x36a210d0: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 06 fa 0x36a210e0: fa fa 00 04 fa fa 00 fa fa fa 00 fa fa fa fd fd 0x36a210f0: fa fa 00 04 fa fa 00 04 fa fa 00 fa fa fa fd fa 0x36a21100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==32161==ABORTING
Created attachment 639106 [details] libwmf-0.2.8.4-deb784192.patch patch
Created attachment 639108 [details] cell.wmf REPRODUCER: valgrind wmf2eps cell.wmf shows "address is ... bytes inside a block of size ... free'd" ==30768== Address 0x74689b4 is 4 bytes inside a block of size 8 free'd should not show these afterwards, or at least less of them.
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-07-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62147
This is an autogenerated message for OBS integration: This bug (936062) was mentioned in https://build.opensuse.org/request/show/314481 13.2 / libwmf https://build.opensuse.org/request/show/314482 13.1 / libwmf
This is an autogenerated message for OBS integration: This bug (936062) was mentioned in https://build.opensuse.org/request/show/314670 Factory / libwmf https://build.opensuse.org/request/show/314672 13.1 / libwmf https://build.opensuse.org/request/show/314673 13.2 / libwmf
openSUSE-SU-2015:1212-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: openSUSE 13.2 (src): libwmf-0.2.8.4-239.7.1 openSUSE 13.1 (src): libwmf-0.2.8.4-234.7.1
SUSE-SU-2015:1378-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 831299,933109,936058,936062 CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Desktop 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libwmf-0.2.8.4-206.29.29.1
released
SUSE-SU-2015:1484-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 495842,831299,933109,936058,936062 CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Software Development Kit 12 (src): libwmf-0.2.8.4-242.3 SUSE Linux Enterprise Desktop 12 (src): libwmf-0.2.8.4-242.3