Two vulnerabilities (at least) are present in the current FreeBSD's port graphics/libwmf: [1], [2]. Fix: The following patch fixes both vulnerabilites in the FreeBSD port: The following VuXML entries should be evaluated and added: <vuln vid="8dba4ad9-39b3-11de-a493-001b77d09812"> <topic>libwmf -- Denial of Service and possible remote code execution</topic> <affects> <package> <name>libwmf</name> <range><lt>0.2.8.4_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>SecurityFocus reports:</p> <blockquote cite="http://www.securityfocus.com/bid/34792/discuss"> <p>The 'libwmf' library is prone to a buffer-overflow vulnerability because the vector graphics linked library improperly allocates memory when parsing WMF image files.</p> <p>Successfully exploiting this issue would allow an attacker to corrupt memory and execute arbitrary code in the context of the currently logged-in user.</p> </blockquote> </body> </description> <references> <cvename></cvename> <bid>34792</bid> <url>http://secunia.com/advisories/34901/</url> </references> <dates> <discovery>2009-05-05</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln-1.xml ends here --- How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1364 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
miwi 2009-05-16 19:59:44 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document libwmf -- Integer Overflow Vulnerability PR: based on 134246 Revision Changes Path 1.1940 +35 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2009-05-16 20:09:00 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document libwmf -- embedded GD library Use-After-Free vulnerability PR: based on 134246 Revision Changes Path 1.1941 +36 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2009-05-16 22:33:17 UTC FreeBSD ports repository Modified files: graphics/libwmf Makefile Added files: graphics/libwmf/files patch-cve-2006-3376 patch-cve-2009-1364 Log: - Fix two remote code execution PR: 134246 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Security: http://www.vuxml.org/freebsd/6a245f31-4254-11de-b67a-0030843d3802.html http://www.vuxml.org/freebsd/48aab1d0-4252-11de-b67a-0030843d3802.html Revision Changes Path 1.44 +1 -1 ports/graphics/libwmf/Makefile 1.1 +27 -0 ports/graphics/libwmf/files/patch-cve-2006-3376 (new) 1.1 +10 -0 ports/graphics/libwmf/files/patch-cve-2009-1364 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed both documented and patches added, thanks for your good job.