ID CVE-2006-3376
Summary Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
References
Vulnerable Configurations
  • cpe:2.3:a:wvware:libwmf:0.2.8_.4
    cpe:2.3:a:wvware:libwmf:0.2.8_.4
  • cpe:2.3:a:wvware:wv2:0.2.1
    cpe:2.3:a:wvware:wv2:0.2.1
  • cpe:2.3:a:wvware:wv2:0.2.2
    cpe:2.3:a:wvware:wv2:0.2.2
  • cpe:2.3:a:wvware:wv2:0.2.3
    cpe:2.3:a:wvware:wv2:0.2.3
CVSS
Base: 7.5 (as of 07-07-2006 - 12:46)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1194.NASL
    description It was discovered that an integer overflow in libwmf, the library to read Windows Metafile Format files, can be exploited to execute arbitrary code if a crafted WMF file is parsed.
    last seen 2018-09-02
    modified 2018-07-20
    plugin id 22735
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22735
    title Debian DSA-1194-1 : libwmf - integer overflow
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-120-01.NASL
    description New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2018-05-01
    plugin id 109432
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109432
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libwmf (SSA:2018-120-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-17 (libwmf: Buffer overflow vulnerability) infamous41md discovered that libwmf fails to do proper bounds checking on the MaxRecordSize variable in the WMF file header. This could lead to an head-based buffer overflow. Impact : By enticing a user to open a specially crafted WMF file, a remote attacker could cause a heap-based buffer overflow and execute arbitrary code with the permissions of the user running the application that uses libwmf. Workaround : There is no known workaround for this issue.
    last seen 2018-09-02
    modified 2018-08-10
    plugin id 22216
    published 2006-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22216
    title GLSA-200608-17 : libwmf: Buffer overflow vulnerability
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-132.NASL
    description Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file. Updated packages have been patched to correct this issue.
    last seen 2018-09-02
    modified 2018-07-19
    plugin id 23882
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23882
    title Mandrake Linux Security Advisory : libwmf (MDKSA-2006:132)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBWMF-1840.NASL
    description A heap overflow could be triggered by specially crafted WMF (Windows Meta Files) in the libwmf library. This problem could be exploited to execute code, by a remote attacker providing a file with embedded WMF data to an application understanding this (like OpenOffice_org, abiword, gimp). This issue is tracked by the Mitre CVE ID CVE-2006-3376.
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 27336
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27336
    title openSUSE 10 Security Update : libwmf (libwmf-1840)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBWMF-1833.NASL
    description A heap overflow could be triggered by specially crafted WMF (Windows Meta Files) in the libwmf library. This problem could be exploited to execute code, by a remote attacker providing a file with embedded WMF data to an application understanding this (like OpenOffice_org, abiword, gimp). This issue is tracked by the Mitre CVE ID CVE-2006-3376.
    last seen 2018-09-02
    modified 2012-05-17
    plugin id 29515
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29515
    title SuSE 10 Security Update : libwmf (ZYPP Patch Number 1833)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0597.NASL
    description Updated libwmf packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue.
    last seen 2018-11-17
    modified 2018-11-16
    plugin id 22070
    published 2006-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22070
    title RHEL 4 : libwmf (RHSA-2006:0597)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0597.NASL
    description Updated libwmf packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 22066
    published 2006-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22066
    title CentOS 4 : libwmf (CESA-2006:0597)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_48AAB1D0425211DEB67A0030843D3802.NASL
    description Secunia reports : infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 38800
    published 2009-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38800
    title FreeBSD : libwmf -- integer overflow vulnerability (48aab1d0-4252-11de-b67a-0030843d3802)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-333-1.NASL
    description An integer overflow was found in the handling of the MaxRecordSize field in the WMF header parser. By tricking a user into opening a specially crafted WMF image file with an application that uses this library, an attacker could exploit this to execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 27912
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27912
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : libwmf vulnerability (USN-333-1)
oval via4
accepted 2013-04-29T04:04:08.315-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
family unix
id oval:org.mitre.oval:def:10262
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
version 21
redhat via4
advisories
bugzilla
id 198290
title CVE-2006-3376 libwmf integer overflow
oval
AND
comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhsa:tst:20060016001
rhsa
id RHSA-2006:0597
released 2006-07-18
severity Moderate
title RHSA-2006:0597: libwmf security update (Moderate)
refmap via4
bid 18751
bugtraq 20060630 libwmf integer/heap overflow
debian DSA-1194
gentoo GLSA-200608-17
mandriva MDKSA-2006:132
sectrack 1016518
secunia
  • 20921
  • 21064
  • 21261
  • 21419
  • 21459
  • 21473
  • 22311
sreason 1190
suse SUSE-SR:2006:019
ubuntu USN-333-1
vupen ADV-2006-2646
xf libwmf-wmf-bo(27516)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-12-2016 - 22:00
Published 06-07-2006 - 16:05
Last modified 18-10-2018 - 12:47
Back to Top