Headline
CVE-2020-11863: ECMA-234 Metafile Library / News: Re-Release of libEMF-1.0.12
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).
This is a re-release of libEMF-1.0.12. The NEWS file is updated to include the CVEs resolved in this release:
CVE-2020-11863
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).
VulnerabilityType : Denial of service
Vendor of Product : https://packages.debian.org/source/sid/libemf
Affected Product Code Base : libemf - <=1.0.11
Attack Type : Local
Impact: Denial of Service
Has vendor confirmed or acknowledged the vulnerability? true
CVE-2020-11864
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).
VulnerabilityType : Denial of service
[Vendor of Product] : https://packages.debian.org/source/sid/libemf
Affected Product Code Base : libemf - <=1.0.11
Attack Type : Local
Impact Denial of Service : true
Has vendor confirmed or acknowledged the vulnerability? true
CVE-2020-11865
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access
VulnerabilityType : Out of bounds memory access
[Vendor of Product] : https://packages.debian.org/source/sid/libemf
Affected Product Code Base : libemf - <=1.0.11
Attack Type : Local
Impact: Information Disclosure
Has vendor confirmed or acknowledged the vulnerability ? true
CVE-2020-11866
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free
VulnerabilityType: Use after free
Vendor of Product: https://packages.debian.org/source/sid/libemf
Affected Product Code Base : libemf - <=1.0.11
Attack Type : Local
Impact: Code execution
Has vendor confirmed or acknowledged the vulnerability ? true
Original release note:
Another decade, another release of libEMF. This time thanks go to Michael Shigorin for patches for the AARCH64 and E2K architectures. Also, many thanks to Chintan Shah at McAfee for pointing out several bugs in the code when handed malformed EMF files.
There are updates to the source to use a (slightly) more modern style of C++. You will need a C++11 compiler to build it now.
This is going to be the last release which supports the autotools build system. I’ve added preliminary CMake support. But the next go 'round will be all CMake. If you are responible for packaging libEMF for distribution, please send me any CMake settings you’d like to see in the CPack configuration.