oss-sec mailing list archives

Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7

From: Stefan Cornelius <scorneli () redhat com>
Date: Mon, 15 Jun 2015 16:07:39 +0200

On Wed, 3 Jun 2015 13:10:43 +0200
Stefan Cornelius <scorneli () redhat com> wrote:


There's another issue related to the RLE decoding. DecodeImage() does
not check that the run-length "count" fits into the total size of the
image, which can lead to a heap-based buffer overflow. I've not
assigned a CVE ID to this (mainly because I'm not sure if this
warrants a new CVE or should be bundled with CVE-2015-0848, so I leave
that up to the CVE experts on the list).

We have some possible fixes in our bug [1], but be cautious - these
are not fully vetted yet. So far, however, they look fine to me.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1227243


Any update on a possible CVE for this additional issue?

Thanks,
-- 
Stefan Cornelius / Red Hat Product Security

Current thread:

CVE-2015-0848 - Heap overflow on libwmf0.2-7 Fernando Muñoz (Jun 01)
- Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 Alessandro Ghedini (Jun 01)
- Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 Stefan Cornelius (Jun 03)
  - Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 Stefan Cornelius (Jun 15)
  - Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 cve-assign (Jun 15)
  - Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 Fernando Muñoz (Jun 16)
    - Re: CVE-2015-0848 - Heap overflow on libwmf0.2-7 cve-assign (Jun 21)