DA bug report logs -
#287038
CAN-2004-1297 process_font_table overflows name buffer
Reported by: Joey Hess <joeyh@debian.org>
Date: Thu, 23 Dec 2004 20:33:02 UTC
Severity: grave
Tags: security, woody
Found in version 0.19.3-1
Fixed in version unrtf/0.19.3-1.1
Done: Nathanael Nerode <neroden@twcny.rr.com>
Bug is archived. No further changes may be made.
Forwarded to marcossamaral@terra.com.br, daved@physiol.usyd.edu.au
Toggle useless messages
Report forwarded to
debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package
unrtf.
Full text and
rfc822 format available.
Acknowledgement sent to
Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to
Christian Surchi <csurchi@debian.org>.
Full text and
rfc822 format available.
Message #5 received at submit@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Package: unrtf
Version: 0.19.3-1
Severity: grave
Tags: security
According to http://tigger.uic.edu/~jlongs2/holes/unrtf.txt:
In convert.c, process_font_table() uses an unprotected
strcat() to copy any number of bytes into a 255-byte name array.
Verified in our package, although the attachment is not present at the
above url. A fix should be as simple as using strncat.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages unrtf depends on:
ii libc6 2.3.2.ds1-19 GNU C Library: Shared libraries an
-- no debconf information
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Information forwarded to
debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package
unrtf.
Full text and
rfc822 format available.
Acknowledgement sent to
Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to
Christian Surchi <csurchi@debian.org>.
Full text and
rfc822 format available.
Message #10 received at 287038@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I've NMUed unrtf with an attempted fix for this security hole. I
actually attach two diffs.
unrtf.patch is how I tried to fix it first. Oddly, with that patch unrtf
will still segfault when converting a file such as the sample exploit
81.rdf (also attached for convenience). Actually, it begins to crash on
almost any input file. Weirder yet, gdb shows that strlen(tmp) is
crashing, though tmp is 0x0. There also seems to be some line
reordering/splitting that may be confusing gdb. Even if it's built -O0.
So I then tried the alternate, more expensive approach in
unrtf-final.patch, which works fine.
I think I've said before that I don't trust unrtf's code much, it seems
to do weird things often when gdb'd. Due to the above, untrust++ ...
--
see shy jo
[unrtf.patch (text/plain, attachment)]
[unrtf-final.patch (text/plain, attachment)]
[81.rtf (application/rtf, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: fixed
Request was from
Joey Hess <joeyh@debian.org>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Information forwarded to
debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package
unrtf.
Full text and
rfc822 format available.
Acknowledgement sent to
Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to
Christian Surchi <csurchi@debian.org>.
Full text and
rfc822 format available.
Message #17 received at 287038@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
reopen 287038
tags 287038 = security, woody
thanks
I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.
If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.
Thanks
Helge
--
Helge Kreutzmann, Dipl.-Phys. Helge.Kreutzmann@itp.uni-hannover.de
gpg signed mail preferred
64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
Help keep free software "libre": http://www.freepatents.org/
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to
debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package
unrtf.
Full text and
rfc822 format available.
Acknowledgement sent to
Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to
Christian Surchi <csurchi@debian.org>.
Full text and
rfc822 format available.
Message #22 received at 287038@bugs.debian.org (full text, mbox):
reopen 287038
tags 287038 = security, woody
thanks
I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.
If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.
Thanks
Helge
--
Helge Kreutzmann, Dipl.-Phys. Helge.Kreutzmann@itp.uni-hannover.de
gpg signed mail preferred
64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
Help keep free software "libre": http://www.freepatents.org/
Tags set to: security, woody
Request was from
Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Tags set to: security, woody
Request was from
Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Reply sent to
Christian Surchi <csurchi@debian.org>:
You have marked Bug as forwarded.
Full text and
rfc822 format available.
Message #29 received at 287038-forwarded@bugs.debian.org (full text, mbox):
------- Messaggio inoltrato -------
Da: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Rispondi-a: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>,
287038@bugs.debian.org
A: 287038@bugs.debian.org
Cc: control@bugs.debian.org, joey@kitenet.net
Oggetto: Bug#287038: Woody most likely affected as well
Data: Fri, 14 Jan 2005 18:07:16 +0100
reopen 287038
tags 287038 = security, woody
thanks
I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.
If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.
Thanks
Helge
Information forwarded to
debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package
unrtf.
Full text and
rfc822 format available.
Acknowledgement sent to
Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Copy sent to
Christian Surchi <csurchi@debian.org>.
Full text and
rfc822 format available.
Message #34 received at 287038@bugs.debian.org (full text, mbox):
Hello Christian
You have an open grave/security bug that has had no visible progress
since some weeks now. Are there any open problems where help is needed?
(in fact you did not even acknowledge Joey Hess' NMU are you maybe no
active maintainer any more?)
bye,
-christian-
Bug marked as fixed in version 0.19.3-1.1, send any further explanations to Joey Hess <joeyh@debian.org>
Request was from
Nathanael Nerode <neroden@twcny.rr.com>
to
control@bugs.debian.org.
Full text and
rfc822 format available.
Bug archived.
Request was from
Debbugs Internal Request <owner@bugs.debian.org>
to
internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 06:38:28 GMT)
Full text and
rfc822 format available.
Send a report that this bug log contains spam.
Don Armstrong <don@donarmstrong.com>.
Last modified:
Thu Sep 2 19:28:15 2010;
Machine Name:
crito.ucr.edu
DA bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.