FreeBSD : libwmf -- multiple vulnerabilities (ca139c7f-2a8c-11e5-a4a5-002590263bf5)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Mitre reports :

Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
and earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper calls
to the gdMalloc function, a different set of vulnerabilities than
CVE-2004-0990.

Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
Graphics Library 2.0.33 and earlier allows remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary
code via a crafted string with a JIS encoded font.

The gdPngReadData function in libgd 2.0.34 allows user-assisted
attackers to cause a denial of service (CPU consumption) via a crafted
PNG image with truncated data, which causes an infinite loop in the
png_read_info function in libpng.

Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers to
have unspecified attack vectors and impact.

The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure.

The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allow attackers to cause a denial of
service (CPU consumption) via a large (1) start or (2) end angle
degree value.

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
5.3.1, and the GD Graphics Library 2.x, does not properly verify a
certain colorsTotal structure member, which might allow remote
attackers to conduct buffer overflow or buffer over-read attacks via a
crafted GD file, a different vulnerability than CVE-2009-3293. NOTE:
some of these details are obtained from third party information.

Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers
to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted BMP image.

meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of
service (out-of-bounds read) via a crafted WMF file.

Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers
to cause a denial of service (crash) via a crafted WMF file to the (1)
wmf2gd or (2) wmf2eps command.

Heap-based buffer overflow in the DecodeImage function in libwmf
0.2.8.4 allows remote attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a crafted 'run-length count' in
an image in a WMF file.

See also :

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201513
http://www.nessus.org/u?22b4cd26

Solution :

Update the affected package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:ND)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now