CVE-2015-0848 CVE-2015-4696
CVE-2015-4695
CVE-2015-4588
Thanks Sevan for reporting this. I'm going to start looking at this port this week. I've researched this and sourced some patches out of the CentOS git for CVEs as far back as 2007 that appear to be unfixed. Not having a maintainer in such a long time as well as not having an upstream in a decade+ shows. I plan on taking maintainership and starting to address these issues over the next few days. For reference: https://git.centos.org/tree/rpms!libwmf/80551b12c866fefd9ba6baf1d6effaeaf81bf376/SOURCES
I've got an in progress patch for CAN-2004-0941, CVE-2007-0455, CVE-2007-2756, CVE-2007-3472, CVE-2007-3473, CVE-2007-3477, and CVE-2009-3546 based off the patches from CentOS git. I'm not posting it just yet since I've only validated a build on HEAD so far and I still need further efforts to validate it at runtime before I start moving onto these 2015 CVEs.
Ref for CVE-2004-0941 -- http://www.securityfocus.com/bid/11663
Created attachment 158781 [details] security/vuxml for multiple libwmf issues - Document multiple security issues for libwmf PR: 201513 Security: CVE-2004-0941 Security: CVE-2007-0455 Security: CVE-2007-2756 Security: CVE-2007-3472 Security: CVE-2007-3473 Security: CVE-2007-3477 Security: CVE-2009-3546 Security: CVE-2015-4695 Security: CVE-2015-4696 Security: CVE-2015-0848 Security: CVE-2015-4588 Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5
(In reply to Jason Unovitch from comment #6) For ports-secteam, Please review and document the libwmf issues in my vuxml patch. I have applied the fixes from CentOS's git, both Debian Bugs, and the Red Hat bug and have validated build time successfully for all the above mentioned CVEs. I haven't validate run time and am not ready for the patch to be committed yet but let's let our users know as I wrap things up. == Validation == > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libwmf-0.2.8.4_13 libwmf-0.2.8.4_13 is vulnerable: libwmf -- multiple vulnerabilities CVE: CVE-2015-4588 CVE: CVE-2015-4696 CVE: CVE-2015-4695 CVE: CVE-2015-0848 CVE: CVE-2009-3546 CVE: CVE-2007-3477 CVE: CVE-2007-3473 CVE: CVE-2007-3472 CVE: CVE-2007-2756 CVE: CVE-2007-0455 CVE: CVE-2004-0941 WWW: https://vuxml.FreeBSD.org/freebsd/ca139c7f-2a8c-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libwmf-0.2.8.4_14 0 problem(s) in the installed packages found.
Created attachment 158782 [details] security/vuxml for multiple libwmf issues * Fix discovery date in prior patch... the first unfixed CVE was in 2004 * - Document multiple security issues for libwmf PR: 201513 Security: CVE-2004-0941 Security: CVE-2007-0455 Security: CVE-2007-2756 Security: CVE-2007-3472 Security: CVE-2007-3473 Security: CVE-2007-3477 Security: CVE-2009-3546 Security: CVE-2015-4695 Security: CVE-2015-4696 Security: CVE-2015-0848 Security: CVE-2015-4588 Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5
I'll take this
A commit references this bug: Author: feld Date: Wed Jul 15 15:50:00 UTC 2015 New revision: 392159 URL: https://svnweb.freebsd.org/changeset/ports/392159 Log: - Document multiple security issues for libwmf PR: 201513 Security: CVE-2004-0941 Security: CVE-2007-0455 Security: CVE-2007-2756 Security: CVE-2007-3472 Security: CVE-2007-3473 Security: CVE-2007-3477 Security: CVE-2009-3546 Security: CVE-2015-4695 Security: CVE-2015-4696 Security: CVE-2015-0848 Security: CVE-2015-4588 Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
Created attachment 158825 [details] Poudriere testport log from 10.1-RELEASE jail Also build tested (both graphics/libwmf and graphics/libwmf-nox11) on the following; 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p14 amd64 10.1-RELEASE-p14 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386
Created attachment 158826 [details] graphics/libwmf -- libwmf-0.2.8.4_14.patch From everything I can see, this is ready for commit. I tested runtime with the help of the example WMF files in the Debian libwmf_0.2.8.4.orig.tar.gz available from https://packages.debian.org/stable/libwmf0.2-7. I validated there were no issues opening WMF files with Gimp and converting the batch of WMF files to a PNG with ImageMagick's convert program. With the help of the fuzzed file in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205, I can confirm that the Debian patch makes an invalid read of size 4 shown by Valgrind go away after the patch. Same goes for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 except that was using the example files in the Debian source rather than a fuzzed file. Since there hasn't been a standalone upstream release in a decade, I've opted to apply the patches as they were sourced via EXTRA_PATCHES rather then applying them and doing a make makepatch. It should be easy to audit and know why each security patch is both now and in the future. SVN Commit Message: - Take maintainership from freebsd-ports@ - Resolve backlog of CVEs PR: 201513 Reported by: Sevan Janiyan Submitted by: Jason Unovitch (maintainer) Security: CVE-2004-0941 [1] Security: CVE-2007-0455 [1] Security: CVE-2007-2756 [1] Security: CVE-2007-3472 [1] Security: CVE-2007-3473 [1] Security: CVE-2007-3477 [1] Security: CVE-2009-3546 [1] Security: CVE-2015-4695 [2] Security: CVE-2015-4696 [3] Security: CVE-2015-0848 [4] Security: CVE-2015-4588 [4] Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5 Obtained From: CentOS libwmf RPM git [1] Obtained From: Debian Bug 784205 [2] Obtained From: Debian Bug 784192 [3] Obtained From: Red Hat Bug 1227243 [4] MFH: 2015Q3
This is very thorough, thanks for your work. I'll review your patch.
A commit references this bug: Author: feld Date: Thu Jul 16 16:47:26 UTC 2015 New revision: 392301 URL: https://svnweb.freebsd.org/changeset/ports/392301 Log: - Assign maintainership - Resolve backlog of CVEs PR: 201513 Reported by: Sevan Janiyan Submitted by: Jason Unovitch (maintainer) Security: CVE-2004-0941 [1] Security: CVE-2007-0455 [1] Security: CVE-2007-2756 [1] Security: CVE-2007-3472 [1] Security: CVE-2007-3473 [1] Security: CVE-2007-3477 [1] Security: CVE-2009-3546 [1] Security: CVE-2015-4695 [2] Security: CVE-2015-4696 [3] Security: CVE-2015-0848 [4] Security: CVE-2015-4588 [4] Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5 Obtained From: CentOS libwmf RPM git [1] Obtained From: Debian Bug 784205 [2] Obtained From: Debian Bug 784192 [3] Obtained From: Red Hat Bug 1227243 [4] MFH: 2015Q3 Changes: head/graphics/libwmf/Makefile head/graphics/libwmf/files/patch-CAN-2004-0941 head/graphics/libwmf/files/patch-CVE-2007-0455 head/graphics/libwmf/files/patch-CVE-2007-2756 head/graphics/libwmf/files/patch-CVE-2007-3472 head/graphics/libwmf/files/patch-CVE-2007-3473 head/graphics/libwmf/files/patch-CVE-2007-3477 head/graphics/libwmf/files/patch-CVE-2009-3546 head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 head/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 head/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 head/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
Committed with minor changes. I spoke with portmgr and the recommendation was not to use EXTRA_PATCHES but to keep them as regular patches with a clean naming convention that identifies the source.
A commit references this bug: Author: feld Date: Thu Jul 16 16:50:39 UTC 2015 New revision: 392302 URL: https://svnweb.freebsd.org/changeset/ports/392302 Log: MFH: r392301 - Assign maintainership - Resolve backlog of CVEs PR: 201513 Reported by: Sevan Janiyan Submitted by: Jason Unovitch (maintainer) Security: CVE-2004-0941 [1] Security: CVE-2007-0455 [1] Security: CVE-2007-2756 [1] Security: CVE-2007-3472 [1] Security: CVE-2007-3473 [1] Security: CVE-2007-3477 [1] Security: CVE-2009-3546 [1] Security: CVE-2015-4695 [2] Security: CVE-2015-4696 [3] Security: CVE-2015-0848 [4] Security: CVE-2015-4588 [4] Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5 Obtained From: CentOS libwmf RPM git [1] Obtained From: Debian Bug 784205 [2] Obtained From: Debian Bug 784192 [3] Obtained From: Red Hat Bug 1227243 [4] Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/graphics/libwmf/Makefile branches/2015Q3/graphics/libwmf/files/patch-CAN-2004-0941 branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-0455 branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-2756 branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3472 branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3473 branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3477 branches/2015Q3/graphics/libwmf/files/patch-CVE-2009-3546 branches/2015Q3/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 branches/2015Q3/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 branches/2015Q3/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 branches/2015Q3/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
Guys, despite all your tests passing there's a couple of issues. The patches for CVE-2015-0848 & CVE-2015-4588 are conflicting changes. The patch for CVE-2015-4588 has the fix for CVE-2015-0848. You can drop the individual patch for CVE-2015-0848. First part of the patch for CVE-2015-4696 may not apply or is superfluous.
(In reply to Sevan Janiyan from comment #17) > The patches for CVE-2015-0848 & CVE-2015-4588 are conflicting changes. The patch for CVE-2015-4588 has the fix for CVE-2015-0848. You can drop the individual patch for CVE-2015-0848. The CVE-2015-4588 patch does not apply without the CVE-2015-0848. I see the -0484 patch adds this (highly abbreviated): if (bmp_info...) DecodeImage else WMF_ERROR API The -4588 modifies the DecodeImage. I am seeing these as complementary patches. Can you clear up what I am missing? > First part of the patch for CVE-2015-4696 may not apply or is superfluous. Good catch! The Red Hat and Debian patch are missing line numbers on the very first hunk. Based on the context, the only place that applies looks to be line 2588. I've sent a proposal to the Red Hat Bugzilla as the original libwmf author, Caolan McNamara, works at Red Hat and is the one who authored that patch. I also sent a follow up email to the Debian bug tracker as a heads up. https://bugzilla.redhat.com/show_bug.cgi?id=1227243 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 Sevan, Can you please reopen the PR? Once I can see further confirmation on the incomplete patch on the Red Hat Bugzilla I'd like to apply that and bump PORTREVISION to reflect the complete fix.
Re-openning as requested.
Created attachment 158898 [details] graphics/libwmf -- libwmf-0.2.8.4_15.patch Tentative patch pending further confirmation on the Red Hat Bugzilla. Log: - Add missing line numbers to the CVE-2015-4696 patch PR: 201513 Reported by: Sevan Janiyan Submitted by: Jason Unovitch (maintainer) Security: CVE-2015-4696 MFH: 2015Q3
(In reply to Jason Unovitch from comment #18) You're absolutely right, I completely failed at deciphering diffs to diffs at silly-o-clock. I would prioritise readability to the preserving the source patches for the sake of auditing as you're already providing details of where you obtained the patches from (bug ID or commit hash), you are the maintainer though so it's entirely your call :)
(In reply to Jason Unovitch from comment #20) Are there any more changes we are waiting on confirmation of before we commit this new diff? I'll also have to update the vuxml entry to change which PORTREVISION for the vulnerability.
(In reply to Mark Felder from comment #22) The CVE-2015-0848/4588 was just a mixup. The only issue is the Red Hat CVE-2015-4696 patch was missing line numbers to apply the very first patch hunk. That is the only issue awaiting confirmation and yes we'll have to bump VuXML PORTREVISION to match.
Ok, thanks, I'll wait for your update to confirm we're ready to go forward with applying the updated patch.
Any update?
(In reply to Mark Felder from comment #25) Mark, The Red Hat PR has been silent. I had my initial request with the fixed patch in https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c19 and followed up last Wednesday in https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c20. There were quite a few emails on the CC. I'm surprised to see no updates. If I don't hear anything back by Wednesday I will attempt another follow up.
Take as this is my port. Still waiting on further upstream feedback. Just to clarify the issue for CVE-2015-4696 was a use after free of calling this: if (FR->region_clip) FR->region_clip (API,&polyrect); After this: wmf_free (API,polyrect.TL); wmf_free (API,polyrect.BR); Since the Red Hat patch does technically fix this I don't see any security impact any more but I do see this as introducing a new bug to in the process of fixing another. I don't know how often "if (FR->region_clip)" is true to know what kind of impact it has but since Red Hat and Debian are using the same code as us we all impacted together. I am going to continue to make noise until we all get fixed together.
Created attachment 160788 [details] graphics/libwmf -- libwmf-0.2.8.4_15.patch ** Revised original patch with updated email ** No changes were needed otherwise. The change was committed recently by the original libwmf author (http://pkgs.fedoraproject.org/cgit/libwmf.git/commit/?id=c8bc53c17aaf7ff5ca19e9116b9856c80b7b2e5f) Log: graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696 - The original CVE-2015-4696 patch from upstream was missing line numbers in the first patch hunk. The security issue was resolved by the restructured code but a new potential bug was introduced in the process. - While here, update to my FreeBSD.org email PR: 201513 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Obtained From: Fedora libwmf RPM git (commit c8bc53c1) MFH: 2015Q3
A commit references this bug: Author: junovitch Date: Mon Sep 7 11:50:20 UTC 2015 New revision: 396262 URL: https://svnweb.freebsd.org/changeset/ports/396262 Log: graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696 - The original CVE-2015-4696 patch from upstream was missing line numbers in the first patch hunk. The security issue was resolved by the restructured code but a new potential bug was introduced in the process. - While here, update to my FreeBSD.org email PR: 201513 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Obtained from: Fedora libwmf RPM git (commit c8bc53c1) Approved by: feld (mentor) MFH: 2015Q3 Changes: head/graphics/libwmf/Makefile head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
A commit references this bug: Author: junovitch Date: Mon Sep 7 11:51:47 UTC 2015 New revision: 396263 URL: https://svnweb.freebsd.org/changeset/ports/396263 Log: MFH: r396262 graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696 - The original CVE-2015-4696 patch from upstream was missing line numbers in the first patch hunk. The security issue was resolved by the restructured code but a new potential bug was introduced in the process. - While here, update to my FreeBSD.org email PR: 201513 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Obtained from: Fedora libwmf RPM git (commit c8bc53c1) Approved by: ports-secteam (feld), feld (mentor) Changes: _U branches/2015Q3/ branches/2015Q3/graphics/libwmf/Makefile branches/2015Q3/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
Final update committed. Thanks again Sevan!