Bug 201513 - [security] graphics/libwmf - multiple vulnerabilities
Summary: [security] graphics/libwmf - multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-07-13 01:02 UTC by Sevan Janiyan
Modified: 2015-09-07 11:54 UTC (History)
3 users (show)

See Also:


Attachments
security/vuxml for multiple libwmf issues (5.18 KB, patch)
2015-07-15 01:35 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml for multiple libwmf issues (5.22 KB, patch)
2015-07-15 01:43 UTC, Jason Unovitch
junovitch: maintainer-approval? (ports-secteam)
Details | Diff
Poudriere testport log from 10.1-RELEASE jail (109.95 KB, text/x-log)
2015-07-16 02:43 UTC, Jason Unovitch
no flags Details
graphics/libwmf -- libwmf-0.2.8.4_14.patch (17.85 KB, patch)
2015-07-16 02:46 UTC, Jason Unovitch
no flags Details | Diff
graphics/libwmf -- libwmf-0.2.8.4_15.patch (733 bytes, patch)
2015-07-17 02:58 UTC, Jason Unovitch
no flags Details | Diff
graphics/libwmf -- libwmf-0.2.8.4_15.patch (913 bytes, patch)
2015-09-07 02:24 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-07-13 01:02:01 UTC
CVE-2015-0848
CVE-2015-4696
Comment 1 Sevan Janiyan 2015-07-13 01:55:09 UTC
CVE-2015-4695
Comment 2 Sevan Janiyan 2015-07-13 01:58:47 UTC
CVE-2015-4588
Comment 3 Jason Unovitch freebsd_committer 2015-07-13 02:52:12 UTC
Thanks Sevan for reporting this.
I'm going to start looking at this port this week.  I've researched this and sourced some patches out of the CentOS git for CVEs as far back as 2007 that appear to be unfixed.  Not having a maintainer in such a long time as well as not having an upstream in a decade+ shows.  I plan on taking maintainership and starting to address these issues over the next few days.

For reference: https://git.centos.org/tree/rpms!libwmf/80551b12c866fefd9ba6baf1d6effaeaf81bf376/SOURCES
Comment 4 Jason Unovitch freebsd_committer 2015-07-14 03:31:15 UTC
I've got an in progress patch for CAN-2004-0941, CVE-2007-0455, CVE-2007-2756, CVE-2007-3472, CVE-2007-3473, CVE-2007-3477, and CVE-2009-3546 based off the patches from CentOS git.  I'm not posting it just yet since I've only validated a build on HEAD so far and I still need further efforts to validate it at runtime before I start moving onto these 2015 CVEs.
Comment 5 Jason Unovitch freebsd_committer 2015-07-15 00:03:17 UTC
Ref for CVE-2004-0941 -- http://www.securityfocus.com/bid/11663
Comment 6 Jason Unovitch freebsd_committer 2015-07-15 01:35:23 UTC
Created attachment 158781 [details]
security/vuxml for multiple libwmf issues

- Document multiple security issues for libwmf

PR:             201513
Security:       CVE-2004-0941
Security:       CVE-2007-0455
Security:       CVE-2007-2756
Security:       CVE-2007-3472
Security:       CVE-2007-3473
Security:       CVE-2007-3477
Security:       CVE-2009-3546
Security:       CVE-2015-4695
Security:       CVE-2015-4696
Security:       CVE-2015-0848
Security:       CVE-2015-4588
Security:       ca139c7f-2a8c-11e5-a4a5-002590263bf5
Comment 7 Jason Unovitch freebsd_committer 2015-07-15 01:40:36 UTC
(In reply to Jason Unovitch from comment #6)

For ports-secteam,
Please review and document the libwmf issues in my vuxml patch.  I have applied the fixes from CentOS's git, both Debian Bugs, and the Red Hat bug and have validated build time successfully for all the above mentioned CVEs.  I haven't validate run time and am not ready for the patch to be committed yet but let's let our users know as I wrap things up.

== Validation ==

> make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libwmf-0.2.8.4_13
libwmf-0.2.8.4_13 is vulnerable:
libwmf -- multiple vulnerabilities
CVE: CVE-2015-4588
CVE: CVE-2015-4696
CVE: CVE-2015-4695
CVE: CVE-2015-0848
CVE: CVE-2009-3546
CVE: CVE-2007-3477
CVE: CVE-2007-3473
CVE: CVE-2007-3472
CVE: CVE-2007-2756
CVE: CVE-2007-0455
CVE: CVE-2004-0941
WWW: https://vuxml.FreeBSD.org/freebsd/ca139c7f-2a8c-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libwmf-0.2.8.4_14
0 problem(s) in the installed packages found.
Comment 8 Jason Unovitch freebsd_committer 2015-07-15 01:43:57 UTC
Created attachment 158782 [details]
security/vuxml for multiple libwmf issues

* Fix discovery date in prior patch... the first unfixed CVE was in 2004 *

- Document multiple security issues for libwmf

PR:             201513
Security:       CVE-2004-0941
Security:       CVE-2007-0455
Security:       CVE-2007-2756
Security:       CVE-2007-3472
Security:       CVE-2007-3473
Security:       CVE-2007-3477
Security:       CVE-2009-3546
Security:       CVE-2015-4695
Security:       CVE-2015-4696
Security:       CVE-2015-0848
Security:       CVE-2015-4588
Security:       ca139c7f-2a8c-11e5-a4a5-002590263bf5
Comment 9 Mark Felder freebsd_committer 2015-07-15 15:48:15 UTC
I'll take this
Comment 10 commit-hook freebsd_committer 2015-07-15 15:50:33 UTC
A commit references this bug:

Author: feld
Date: Wed Jul 15 15:50:00 UTC 2015
New revision: 392159
URL: https://svnweb.freebsd.org/changeset/ports/392159

Log:
  - Document multiple security issues for libwmf

  PR:		201513
  Security:	CVE-2004-0941
  Security:	CVE-2007-0455
  Security:	CVE-2007-2756
  Security:	CVE-2007-3472
  Security:	CVE-2007-3473
  Security:	CVE-2007-3477
  Security:	CVE-2009-3546
  Security:	CVE-2015-4695
  Security:	CVE-2015-4696
  Security:	CVE-2015-0848
  Security:	CVE-2015-4588
  Security:	ca139c7f-2a8c-11e5-a4a5-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 11 Jason Unovitch freebsd_committer 2015-07-16 02:43:10 UTC
Created attachment 158825 [details]
Poudriere testport log from 10.1-RELEASE jail

Also build tested (both graphics/libwmf and graphics/libwmf-nox11) on the following;
8.4-RELEASE-p31 amd64
8.4-RELEASE-p31 i386
9.3-RELEASE-p17 amd64
9.3-RELEASE-p17 i386
10.1-RELEASE-p14 amd64
10.1-RELEASE-p14 i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 12 Jason Unovitch freebsd_committer 2015-07-16 02:46:53 UTC
Created attachment 158826 [details]
graphics/libwmf -- libwmf-0.2.8.4_14.patch

From everything I can see, this is ready for commit.  I tested runtime with the help of the example WMF files in the Debian libwmf_0.2.8.4.orig.tar.gz available from https://packages.debian.org/stable/libwmf0.2-7.  I validated there were no issues opening WMF files with Gimp and converting the batch of WMF files to a PNG with ImageMagick's convert program.  With the help of the fuzzed file in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205, I can confirm that the Debian patch makes an invalid read of size 4 shown by Valgrind go away after the patch.  Same goes for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 except that was using the example files in the Debian source rather than a fuzzed file.

Since there hasn't been a standalone upstream release in a decade, I've opted to apply the patches as they were sourced via EXTRA_PATCHES rather then applying them and doing a make makepatch.  It should be easy to audit and know why each security patch is both now and in the future.


SVN Commit Message:

- Take maintainership from freebsd-ports@
- Resolve backlog of CVEs

PR:		201513
Reported by:	Sevan Janiyan
Submitted by:	Jason Unovitch (maintainer)
Security:	CVE-2004-0941 [1]
Security:	CVE-2007-0455 [1]
Security:	CVE-2007-2756 [1]
Security:	CVE-2007-3472 [1]
Security:	CVE-2007-3473 [1]
Security:	CVE-2007-3477 [1]
Security:	CVE-2009-3546 [1]
Security:	CVE-2015-4695 [2]
Security:	CVE-2015-4696 [3]
Security:	CVE-2015-0848 [4]
Security:	CVE-2015-4588 [4]
Security:	ca139c7f-2a8c-11e5-a4a5-002590263bf5
Obtained From:	CentOS libwmf RPM git [1]
Obtained From:	Debian Bug 784205 [2]
Obtained From:	Debian Bug 784192 [3]
Obtained From:	Red Hat Bug 1227243 [4]
MFH:		2015Q3
Comment 13 Mark Felder freebsd_committer 2015-07-16 15:26:31 UTC
This is very thorough, thanks for your work. I'll review your patch.
Comment 14 commit-hook freebsd_committer 2015-07-16 16:47:48 UTC
A commit references this bug:

Author: feld
Date: Thu Jul 16 16:47:26 UTC 2015
New revision: 392301
URL: https://svnweb.freebsd.org/changeset/ports/392301

Log:
  - Assign maintainership
  - Resolve backlog of CVEs

  PR:		201513
  Reported by:	Sevan Janiyan
  Submitted by:	Jason Unovitch (maintainer)
  Security:	CVE-2004-0941 [1]
  Security:	CVE-2007-0455 [1]
  Security:	CVE-2007-2756 [1]
  Security:	CVE-2007-3472 [1]
  Security:	CVE-2007-3473 [1]
  Security:	CVE-2007-3477 [1]
  Security:	CVE-2009-3546 [1]
  Security:	CVE-2015-4695 [2]
  Security:	CVE-2015-4696 [3]
  Security:	CVE-2015-0848 [4]
  Security:	CVE-2015-4588 [4]
  Security:	ca139c7f-2a8c-11e5-a4a5-002590263bf5
  Obtained From:	CentOS libwmf RPM git [1]
  Obtained From:	Debian Bug 784205 [2]
  Obtained From:	Debian Bug 784192 [3]
  Obtained From:	Red Hat Bug 1227243 [4]
  MFH:		2015Q3

Changes:
  head/graphics/libwmf/Makefile
  head/graphics/libwmf/files/patch-CAN-2004-0941
  head/graphics/libwmf/files/patch-CVE-2007-0455
  head/graphics/libwmf/files/patch-CVE-2007-2756
  head/graphics/libwmf/files/patch-CVE-2007-3472
  head/graphics/libwmf/files/patch-CVE-2007-3473
  head/graphics/libwmf/files/patch-CVE-2007-3477
  head/graphics/libwmf/files/patch-CVE-2009-3546
  head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
  head/graphics/libwmf/files/patch-deb784205-CVE-2015-4695
  head/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848
  head/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
Comment 15 Mark Felder freebsd_committer 2015-07-16 16:49:24 UTC
Committed with minor changes.

I spoke with portmgr and the recommendation was not to use EXTRA_PATCHES but to keep them as regular patches with a clean naming convention that identifies the source.
Comment 16 commit-hook freebsd_committer 2015-07-16 16:50:50 UTC
A commit references this bug:

Author: feld
Date: Thu Jul 16 16:50:39 UTC 2015
New revision: 392302
URL: https://svnweb.freebsd.org/changeset/ports/392302

Log:
  MFH: r392301

  - Assign maintainership
  - Resolve backlog of CVEs

  PR:		201513
  Reported by:	Sevan Janiyan
  Submitted by:	Jason Unovitch (maintainer)
  Security:	CVE-2004-0941 [1]
  Security:	CVE-2007-0455 [1]
  Security:	CVE-2007-2756 [1]
  Security:	CVE-2007-3472 [1]
  Security:	CVE-2007-3473 [1]
  Security:	CVE-2007-3477 [1]
  Security:	CVE-2009-3546 [1]
  Security:	CVE-2015-4695 [2]
  Security:	CVE-2015-4696 [3]
  Security:	CVE-2015-0848 [4]
  Security:	CVE-2015-4588 [4]
  Security:	ca139c7f-2a8c-11e5-a4a5-002590263bf5
  Obtained From:	CentOS libwmf RPM git [1]
  Obtained From:	Debian Bug 784205 [2]
  Obtained From:	Debian Bug 784192 [3]
  Obtained From:	Red Hat Bug 1227243 [4]
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/graphics/libwmf/Makefile
  branches/2015Q3/graphics/libwmf/files/patch-CAN-2004-0941
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-0455
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-2756
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3472
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3473
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2007-3477
  branches/2015Q3/graphics/libwmf/files/patch-CVE-2009-3546
  branches/2015Q3/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
  branches/2015Q3/graphics/libwmf/files/patch-deb784205-CVE-2015-4695
  branches/2015Q3/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848
  branches/2015Q3/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
Comment 17 Sevan Janiyan 2015-07-17 01:42:21 UTC
Guys, despite all your tests passing there's a couple of issues.
The patches for CVE-2015-0848 & CVE-2015-4588 are conflicting changes. The patch for CVE-2015-4588 has the fix for CVE-2015-0848. You can drop the individual patch for CVE-2015-0848.
First part of the patch for CVE-2015-4696 may not apply or is superfluous.
Comment 18 Jason Unovitch freebsd_committer 2015-07-17 02:39:00 UTC
(In reply to Sevan Janiyan from comment #17)
> The patches for CVE-2015-0848 & CVE-2015-4588 are conflicting changes. The patch for CVE-2015-4588 has the fix for CVE-2015-0848. You can drop the individual patch for CVE-2015-0848.

The CVE-2015-4588 patch does not apply without the CVE-2015-0848.

I see the -0484 patch adds this (highly abbreviated):
if (bmp_info...)
  DecodeImage
else
  WMF_ERROR
  API

The -4588 modifies the DecodeImage.  I am seeing these as complementary patches.  Can you clear up what I am missing?

> First part of the patch for CVE-2015-4696 may not apply or is superfluous.

Good catch!  The Red Hat and Debian patch are missing line numbers on the very first hunk.  Based on the context, the only place that applies looks to be line 2588.  I've sent a proposal to the Red Hat Bugzilla as the original libwmf author, Caolan McNamara, works at Red Hat and is the one who authored that patch.  I also sent a follow up email to the Debian bug tracker as a heads up.

https://bugzilla.redhat.com/show_bug.cgi?id=1227243
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192


Sevan,
Can you please reopen the PR?  Once I can see further confirmation on the incomplete patch on the Red Hat Bugzilla I'd like to apply that and bump PORTREVISION to reflect the complete fix.
Comment 19 Sevan Janiyan 2015-07-17 02:44:19 UTC
Re-openning as requested.
Comment 20 Jason Unovitch freebsd_committer 2015-07-17 02:58:53 UTC
Created attachment 158898 [details]
graphics/libwmf -- libwmf-0.2.8.4_15.patch

Tentative patch pending further confirmation on the Red Hat Bugzilla.


Log:
- Add missing line numbers to the CVE-2015-4696 patch 

PR:             201513
Reported by:    Sevan Janiyan
Submitted by:   Jason Unovitch (maintainer)
Security:       CVE-2015-4696
MFH:            2015Q3
Comment 21 Sevan Janiyan 2015-07-17 12:39:01 UTC
(In reply to Jason Unovitch from comment #18)
You're absolutely right, I completely failed at deciphering diffs to diffs at silly-o-clock.
I would prioritise readability to the preserving the source patches for the sake of auditing as you're already providing details of where you obtained the patches from (bug ID or commit hash), you are the maintainer though so it's entirely your call :)
Comment 22 Mark Felder freebsd_committer 2015-07-17 16:54:50 UTC
(In reply to Jason Unovitch from comment #20)

Are there any more changes we are waiting on confirmation of before we commit this new diff?

I'll also have to update the vuxml entry to change which PORTREVISION for the vulnerability.
Comment 23 Jason Unovitch freebsd_committer 2015-07-18 12:33:44 UTC
(In reply to Mark Felder from comment #22)
The CVE-2015-0848/4588 was just a mixup.  The only issue is the Red Hat CVE-2015-4696 patch was missing line numbers to apply the very first patch hunk.  That is the only issue awaiting confirmation and yes we'll have to bump VuXML PORTREVISION to match.
Comment 24 Mark Felder freebsd_committer 2015-07-18 23:22:35 UTC
Ok, thanks, I'll wait for your update to confirm we're ready to go forward with applying the updated patch.
Comment 25 Mark Felder freebsd_committer 2015-07-27 14:33:05 UTC
Any update?
Comment 26 Jason Unovitch freebsd_committer 2015-07-28 01:30:09 UTC
(In reply to Mark Felder from comment #25)
Mark,
The Red Hat PR has been silent.  I had my initial request with the fixed patch in https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c19 and followed up last Wednesday in https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c20.

There were quite a few emails on the CC.  I'm surprised to see no updates.  If I don't hear anything back by Wednesday I will attempt another follow up.
Comment 27 Jason Unovitch freebsd_committer 2015-08-10 23:28:08 UTC
Take as this is my port.  Still waiting on further upstream feedback.  Just to clarify the issue for CVE-2015-4696 was a use after free of calling this:

if (FR->region_clip) FR->region_clip (API,&polyrect);

After this:
wmf_free (API,polyrect.TL);
wmf_free (API,polyrect.BR);

Since the Red Hat patch does technically fix this I don't see any security impact any more but I do see this as introducing a new bug to in the process of fixing another.  I don't know how often "if (FR->region_clip)" is true to know what kind of impact it has but since Red Hat and Debian are using the same code as us we all impacted together.  I am going to continue to make noise until we all get fixed together.
Comment 28 Jason Unovitch freebsd_committer 2015-09-07 02:24:33 UTC
Created attachment 160788 [details]
graphics/libwmf -- libwmf-0.2.8.4_15.patch

** Revised original patch with updated email **

No changes were needed otherwise.  The change was committed recently by the original libwmf author (http://pkgs.fedoraproject.org/cgit/libwmf.git/commit/?id=c8bc53c17aaf7ff5ca19e9116b9856c80b7b2e5f)

Log:
graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696

- The original CVE-2015-4696 patch from upstream was missing line numbers
  in the first patch hunk.  The security issue was resolved by the
  restructured code but a new potential bug was introduced in the process.
- While here, update to my FreeBSD.org email

PR:		201513
Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
Obtained From:	Fedora libwmf RPM git (commit c8bc53c1)
MFH:		2015Q3
Comment 29 commit-hook freebsd_committer 2015-09-07 11:50:22 UTC
A commit references this bug:

Author: junovitch
Date: Mon Sep  7 11:50:20 UTC 2015
New revision: 396262
URL: https://svnweb.freebsd.org/changeset/ports/396262

Log:
  graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696

  - The original CVE-2015-4696 patch from upstream was missing line numbers
    in the first patch hunk.  The security issue was resolved by the
    restructured code but a new potential bug was introduced in the process.
  - While here, update to my FreeBSD.org email

  PR:		201513
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Obtained from:	Fedora libwmf RPM git (commit c8bc53c1)
  Approved by:	feld (mentor)
  MFH:		2015Q3

Changes:
  head/graphics/libwmf/Makefile
  head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
Comment 30 commit-hook freebsd_committer 2015-09-07 11:52:24 UTC
A commit references this bug:

Author: junovitch
Date: Mon Sep  7 11:51:47 UTC 2015
New revision: 396263
URL: https://svnweb.freebsd.org/changeset/ports/396263

Log:
  MFH: r396262

  graphics/libwmf: Fix bug introduced by patch for CVE-2015-4696

  - The original CVE-2015-4696 patch from upstream was missing line numbers
    in the first patch hunk.  The security issue was resolved by the
    restructured code but a new potential bug was introduced in the process.
  - While here, update to my FreeBSD.org email

  PR:		201513
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Obtained from:	Fedora libwmf RPM git (commit c8bc53c1)
  Approved by:	ports-secteam (feld), feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/graphics/libwmf/Makefile
  branches/2015Q3/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
Comment 31 Jason Unovitch freebsd_committer 2015-09-07 11:54:09 UTC
Final update committed. Thanks again Sevan!