Thank you very much for these indications.
The 3 CVEs mention oob read, write and use of uninitialized pointer, so I'm
going to take a look to the last libuemf changes, to identify what could look
like security fixes. If only the oob read is proven, we will need to dispute
some of these CVEs.
Now about your concerns about the CVE(s) severity, if the oob read and write
really exist, it should be fairly enough to at least crash the executing
process, but also probably get code execution with a bypass of all the
mitigations. That's why the CISA report mentions a 7.8 CVSS, which is quite
high. But in both cases, a user interaction is needed to load a malicious file
(a malicious EMF file I guess in this case). Since the bugs are not in a
privileged process (I guess?), or remotely triggerable, the severity could
actually be worse. It doesn't make these bugs very interesting. But an attacker
with a working exploit could still convince a victim to load the exploit, and
get code execution on the victim's machine.
Now, if only the oob read is verified, the attack scenario is still the same,
but the impact would only be a local deny of service by crashing the process,
which is indeed not very scaring. An attacker could try to search for sensitive
information in the process memory (if such exists), but getting back the
extracted information in a local desktop app, without other primitives, is
another story. :)
On 5/20/22 00:13, Marc Jeanmougin wrote:
we were informed that a third-party vendor shipping a custom installer
for a quite old (0.91 : 7 years ago) Inkscape version, found a oob read
in a parser in libuemf, the library we use to read emf files. The report
itself mentioning that 1.0+ was unaffected, we trusted it with
that, and having no intention of releasing new point releases for
versions older than 1.1.x , afaict no action was required from us. If
you're looking to backport a "fix" for a very old Inkscape version, the
easiest way would probably be to copy the files from a recent libuemf
upstream source, into the src/libuemf/ (now src/3rdparty/libuemf/)
folder which is a rather standalone part of the codebase.
SUSE Software Solutions