Vulnerabilities > CVE-2006-3376 - Integer Overflow vulnerability in Wvware Libwmf and WV2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
wvware
nessus
NVD
Published: 2006-07-06
Updated: 2018-10-18

Summary

Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.

Vulnerable Configurations

Part Description Count
Application
Wvware
4

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-132.NASL
    descriptionInteger overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file. Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id23882
    published2006-12-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23882
    titleMandrake Linux Security Advisory : libwmf (MDKSA-2006:132)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1194.NASL
    descriptionIt was discovered that an integer overflow in libwmf, the library to read Windows Metafile Format files, can be exploited to execute arbitrary code if a crafted WMF file is parsed.
    last seen2020-06-01
    modified2020-06-02
    plugin id22735
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22735
    titleDebian DSA-1194-1 : libwmf - integer overflow
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200608-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200608-17 (libwmf: Buffer overflow vulnerability) infamous41md discovered that libwmf fails to do proper bounds checking on the MaxRecordSize variable in the WMF file header. This could lead to an head-based buffer overflow. Impact : By enticing a user to open a specially crafted WMF file, a remote attacker could cause a heap-based buffer overflow and execute arbitrary code with the permissions of the user running the application that uses libwmf. Workaround : There is no known workaround for this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22216
    published2006-08-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22216
    titleGLSA-200608-17 : libwmf: Buffer overflow vulnerability
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-804.NASL
    descriptionCVE-2006-3376 integer overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24145
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24145
    titleFedora Core 4 : libwmf-0.2.8.3-8.1 (2006-804)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-831.NASL
    descriptionFix side-effect of CVE-2006-3376 on x86_64 edge case Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24151
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24151
    titleFedora Core 5 : libwmf-0.2.8.4-5.2 (2006-831)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-832.NASL
    descriptionCVE-2006-3376: fix minor side-effect on 64bit platforms Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24152
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24152
    titleFedora Core 4 : libwmf-0.2.8.3-8.2 (2006-832)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-120-01.NASL
    descriptionNew libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109432
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109432
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_48AAB1D0425211DEB67A0030843D3802.NASL
    descriptionSecunia reports : infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.
    last seen2020-06-01
    modified2020-06-02
    plugin id38800
    published2009-05-18
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38800
    titleFreeBSD : libwmf -- integer overflow vulnerability (48aab1d0-4252-11de-b67a-0030843d3802)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0597.NASL
    descriptionUpdated libwmf packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22070
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22070
    titleRHEL 4 : libwmf (RHSA-2006:0597)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIBWMF-1840.NASL
    descriptionA heap overflow could be triggered by specially crafted WMF (Windows Meta Files) in the libwmf library. This problem could be exploited to execute code, by a remote attacker providing a file with embedded WMF data to an application understanding this (like OpenOffice_org, abiword, gimp). This issue is tracked by the Mitre CVE ID CVE-2006-3376.
    last seen2020-06-01
    modified2020-06-02
    plugin id27336
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27336
    titleopenSUSE 10 Security Update : libwmf (libwmf-1840)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-333-1.NASL
    descriptionAn integer overflow was found in the handling of the MaxRecordSize field in the WMF header parser. By tricking a user into opening a specially crafted WMF image file with an application that uses this library, an attacker could exploit this to execute arbitrary code with the user
    last seen2020-06-01
    modified2020-06-02
    plugin id27912
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27912
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : libwmf vulnerability (USN-333-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIBWMF-1833.NASL
    descriptionA heap overflow could be triggered by specially crafted WMF (Windows Meta Files) in the libwmf library. This problem could be exploited to execute code, by a remote attacker providing a file with embedded WMF data to an application understanding this (like OpenOffice_org, abiword, gimp). This issue is tracked by the Mitre CVE ID CVE-2006-3376.
    last seen2020-06-01
    modified2020-06-02
    plugin id29515
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29515
    titleSuSE 10 Security Update : libwmf (ZYPP Patch Number 1833)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-805.NASL
    descriptionCVE-2006-3376 int overflow Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24146
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24146
    titleFedora Core 5 : libwmf-0.2.8.4-5.1 (2006-805)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0597.NASL
    descriptionUpdated libwmf packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22066
    published2006-07-19
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22066
    titleCentOS 4 : libwmf (CESA-2006:0597)

Oval

accepted2013-04-29T04:04:08.315-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionInteger overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
familyunix
idoval:org.mitre.oval:def:10262
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
version26

Redhat

advisories
bugzilla
id198290
titleCVE-2006-3376 libwmf integer overflow
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentlibwmf is earlier than 0:0.2.8.3-5.3
          ovaloval:com.redhat.rhsa:tst:20060597001
        • commentlibwmf is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060597002
      • AND
        • commentlibwmf-devel is earlier than 0:0.2.8.3-5.3
          ovaloval:com.redhat.rhsa:tst:20060597003
        • commentlibwmf-devel is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060597004
rhsa
idRHSA-2006:0597
released2006-07-18
severityModerate
titleRHSA-2006:0597: libwmf security update (Moderate)
rpms
  • libwmf-0:0.2.8.3-5.3
  • libwmf-debuginfo-0:0.2.8.3-5.3
  • libwmf-devel-0:0.2.8.3-5.3

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References