Package: libwmf Version: 0.2.8.4-2 Severity: important Tags: security patch
Hi! libwmf contains an ancient (2001!) copy of libgd2, which is vulnerable against CVE-2004-0941, CVE-2004-0990 (integer overflows which can be exploited for arbitrary code execution with crafted PNGs) and CVE-2006-2906 (DoS with crafted GIFs). I did not verify whether these can be exploited through libwmf, therefore I did not set this to 'grave'. However, this should be fixed just to be on the safe side. Original libgd2 patches: http://people.ubuntu.com/patches/libgd2.CVE-2004-0941_0990.diff http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff The best solution would be to build against the system libgd2 and ignore the code copy completely. This avoids code copies (which are *VERY* *VERY* hard to find), and thus such vulnerabilities, at all. Thank you for considering, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
