Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file.

libwmf was updated to fix five security issues.

These security issues were fixed :

  - CVE-2009-1364: Fixed realloc return value usage     (bsc#495842, bnc#831299)

  - CVE-2015-0848: Heap overflow on libwmf0.2-7 (bsc#933109)

  - CVE-2015-4588: DecodeImage() did not check that the     run-length 'count' fits into the total size of the     image, which could lead to a heap-based buffer overflow     (bsc#933109)

  - CVE-2015-4695: meta_pen_create heap buffer over read     (bsc#936058)

  - CVE-2015-4696: Use after free (bsc#936062)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

libwmf was updated to fix three security issues and one non-security bug.

The following vulnerabilities were fixed :

  - CVE-2015-0848: An attacker that could trick a victim     into opening a specially crafted WMF file with BMP     portions in a libwmf based application could have     executed arbitrary code with the user's privileges.
    (boo#933109)

  - CVE-2015-0848: An attacker that could trick a victim     into opening a specially crafted WMF file in a libwmf     based application could have executed arbitrary code     through incorrect run-length encoding. (boo#933109)

  - CVE-2009-1364: Use-after-free vulnerability in the     embedded GD library in libwmf allowed context-dependent     attackers to cause a denial of service (application     crash) or possibly execute arbitrary code via a crafted     WMF file. (boo#495842, boo#831299)

The following non-security bug was fixed :

  - boo#892356: Make libwmf-tools not depend on libwmf-devel

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2009-0457 advisory.

    [0.2.8.4-10.2]
    - Resolves: rhbz#497511 CVE-2009-1364 bad realloc

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364)

After installing the update, all applications using libwmf must be restarted for the update to take effect.

A specially crafted WMF files could crash libwmf. (CVE-2009-1364)

The remote host is affected by the vulnerability described in GLSA-200907-01 (libwmf: User-assisted execution of arbitrary code)

    The embedded fork of the GD library introduced a 'use-after-free'     vulnerability in a modification which is specific to libwmf.
  Impact :

    A remote attacker could entice a user to open a specially crafted WMF     file, possibly resulting in the execution of arbitrary code with the     privileges of the user running the application, or a Denial of Service.
  Workaround :

    There is no known workaround at this time.

CVE-2009-1364 libwmf: embedded gd use-after-free error

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated libwmf packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is used by applications such as GIMP and ImageMagick.

A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364)

Note: This flaw is specific to the GD graphics library embedded in libwmf. It does not affect the GD graphics library from the 'gd' packages, or applications using it.

Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw.

All users of libwmf are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libwmf must be restarted for the update to take effect.

Secunia reports :

A vulnerability has been reported in libwmf, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library.

The vulnerability is caused due to a use-after-free error within the embedded GD library, which can be exploited to cause a crash or potentially to execute arbitrary code via a specially crafted WMF file.

Tavis Ormandy discovered that the embedded GD library copy in libwmf, a library to parse windows metafiles (WMF), makes use of a pointer after it was already freed. An attacker using a crafted WMF file can cause a denial of service or possibly the execute arbitrary code via applications using this library.

Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file (CVE-2009-1364).

The updated packages have been patched to prevent this.

Update :

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Tavis Ormandy discovered that libwmf incorrectly used memory after it had been freed when using its embedded GD library. If a user or automated system were tricked into opening a crafted WMF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
85796	SUSE SLED12 Security Update : libwmf (SUSE-SU-2015:1484-1)	Nessus	SuSE Local Security Checks	high
84384	openSUSE Security Update : libwmf (openSUSE-2015-443)	Nessus	SuSE Local Security Checks	high
67851	Oracle Linux 5 : libwmf (ELSA-2009-0457)	Nessus	Oracle Linux Local Security Checks	critical
60578	Scientific Linux Security Update : libwmf on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
51755	SuSE 10 Security Update : libwmf (ZYPP Patch Number 6213)	Nessus	SuSE Local Security Checks	high
41433	SuSE 11 Security Update : libwmf (SAT Patch Number 822)	Nessus	SuSE Local Security Checks	high
40273	openSUSE Security Update : libwmf (libwmf-821)	Nessus	SuSE Local Security Checks	high
40052	openSUSE Security Update : libwmf (libwmf-821)	Nessus	SuSE Local Security Checks	high
39595	GLSA-200907-01 : libwmf: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
38936	Fedora 10 : libwmf-0.2.8.4-18.1.fc10 (2009-5524)	Nessus	Fedora Local Security Checks	high
38934	Fedora 11 : libwmf-0.2.8.4-20.fc11 (2009-5518)	Nessus	Fedora Local Security Checks	high
38933	Fedora 9 : libwmf-0.2.8.4-18.1.fc9 (2009-5517)	Nessus	Fedora Local Security Checks	high
38900	CentOS 4 / 5 : libwmf (CESA-2009:0457)	Nessus	CentOS Local Security Checks	high
38804	FreeBSD : libwmf -- embedded GD library Use-After-Free vulnerability (6a245f31-4254-11de-b67a-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
38788	openSUSE 10 Security Update : libwmf (libwmf-6212)	Nessus	SuSE Local Security Checks	high
38704	Debian DSA-1796-1 : libwmf - pointer use-after-free	Nessus	Debian Local Security Checks	high
38693	Mandriva Linux Security Advisory : libwmf (MDVSA-2009:106-1)	Nessus	Mandriva Local Security Checks	high
38685	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : libwmf vulnerability (USN-769-1)	Nessus	Ubuntu Local Security Checks	high
38659	RHEL 4 / 5 : libwmf (RHSA-2009:0457)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2009-1364

critical

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high