Hi Marc,
Thank you very much for these indications. The 3 CVEs mention oob read, write and use of uninitialized pointer, so I'm going to take a look to the last libuemf changes, to identify what could look like security fixes. If only the oob read is proven, we will need to dispute some of these CVEs.
Now about your concerns about the CVE(s) severity, if the oob read and write really exist, it should be fairly enough to at least crash the executing process, but also probably get code execution with a bypass of all the mitigations. That's why the CISA report mentions a 7.8 CVSS, which is quite high. But in both cases, a user interaction is needed to load a malicious file (a malicious EMF file I guess in this case). Since the bugs are not in a privileged process (I guess?), or remotely triggerable, the severity could actually be worse. It doesn't make these bugs very interesting. But an attacker with a working exploit could still convince a victim to load the exploit, and get code execution on the victim's machine. Now, if only the oob read is verified, the attack scenario is still the same, but the impact would only be a local deny of service by crashing the process, which is indeed not very scaring. An attacker could try to search for sensitive information in the process memory (if such exists), but getting back the extracted information in a local desktop app, without other primitives, is another story. :)
Best,
Thomas
On 5/20/22 00:13, Marc Jeanmougin wrote:
Hi Thomas,
we were informed that a third-party vendor shipping a custom installer for a quite old (0.91 : 7 years ago) Inkscape version, found a oob read in a parser in libuemf, the library we use to read emf files. The report itself mentioning that 1.0+ was unaffected, we trusted it with that[1][2], and having no intention of releasing new point releases for versions older than 1.1.x , afaict no action was required from us. If you're looking to backport a "fix" for a very old Inkscape version, the easiest way would probably be to copy the files from a recent libuemf upstream source[3], into the src/libuemf/ (now src/3rdparty/libuemf/) folder which is a rather standalone part of the codebase.
Bests,