Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.

New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

Secunia reports :

infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library.

The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.

A heap overflow could be triggered by specially crafted WMF (Windows Meta Files) in the libwmf library. This problem could be exploited to execute code, by a remote attacker providing a file with embedded WMF data to an application understanding this (like OpenOffice_org, abiword, gimp).

This issue is tracked by the Mitre CVE ID CVE-2006-3376.

An integer overflow was found in the handling of the MaxRecordSize field in the WMF header parser. By tricking a user into opening a specially crafted WMF image file with an application that uses this library, an attacker could exploit this to execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.

Updated packages have been patched to correct this issue.

It was discovered that an integer overflow in libwmf, the library to read Windows Metafile Format files, can be exploited to execute arbitrary code if a crafted WMF file is parsed.

The remote host is affected by the vulnerability described in GLSA-200608-17 (libwmf: Buffer overflow vulnerability)

    infamous41md discovered that libwmf fails to do proper bounds checking     on the MaxRecordSize variable in the WMF file header. This could lead     to an head-based buffer overflow.
  Impact :

    By enticing a user to open a specially crafted WMF file, a remote     attacker could cause a heap-based buffer overflow and execute arbitrary     code with the permissions of the user running the application that uses     libwmf.
  Workaround :

    There is no known workaround for this issue.

Updated libwmf packages that fix a security flaw are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick.

An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376).

Users of libwmf should update to these packages which contain a backported security patch to correct this issue.

ID	Name	Product	Family	Severity
109432	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)	Nessus	Slackware Local Security Checks	high
38800	FreeBSD : libwmf -- integer overflow vulnerability (48aab1d0-4252-11de-b67a-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
29515	SuSE 10 Security Update : libwmf (ZYPP Patch Number 1833)	Nessus	SuSE Local Security Checks	high
27912	Ubuntu 5.04 / 5.10 / 6.06 LTS : libwmf vulnerability (USN-333-1)	Nessus	Ubuntu Local Security Checks	high
27336	openSUSE 10 Security Update : libwmf (libwmf-1840)	Nessus	SuSE Local Security Checks	high
23882	Mandrake Linux Security Advisory : libwmf (MDKSA-2006:132)	Nessus	Mandriva Local Security Checks	high
22735	Debian DSA-1194-1 : libwmf - integer overflow	Nessus	Debian Local Security Checks	high
22216	GLSA-200608-17 : libwmf: Buffer overflow vulnerability	Nessus	Gentoo Local Security Checks	high
22070	RHEL 4 : libwmf (RHSA-2006:0597)	Nessus	Red Hat Local Security Checks	high
22066	CentOS 4 : libwmf (CESA-2006:0597)	Nessus	CentOS Local Security Checks	high

Detections

Analytics

CVE-2006-3376

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high