Bug#810883: marked as done (catdoc: Invalid memory access and segfaulting)

[Debian Bug Tracking System]

Your message dated Wed, 29 Mar 2017 19:34:00 +0000
with message-id <e1ctjm0-0008uo...@fasolo.debian.org>
and subject line Bug#810883: fixed in catdoc 1:0.95-1
has caused the Debian Bug report #810883,
regarding catdoc: Invalid memory access and segfaulting
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
810883: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: catdoc
Version: 0.94.4-1.1
Severity: important
Tags: security

Dear Maintainer,

The attached word document will cause catdoc to crash when executed:

     catdoc x.doc

When running under valgrind we see that an attempt is made to access
an invalid pointer:

==6875== Invalid read of size 8
==6875==    at 0x41B91D: map_subst (substmap.c:151)
==6875==    by 0x417E08: convert_char (charsets.c:241)
==6875==    by 0x4064E0: copy_out (reader.c:82)
==6875==    by 0x40A807: analyze_format (analyze.c:75)
==6875==    by 0x40378B: main (catdoc.c:180)
==6875==  Address 0xd221cf8 is not stack'd, malloc'd or (recently) free'd

Running under gdb we see this is the area of code in question:

(gdb) run ~/x.doc
Starting program: /home/steve/inst/bin/catdoc x.doc

Program received signal SIGSEGV, Segmentation fault.
0x000000000041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
    at substmap.c:151
151             char **p=map[(unsigned)uc >>8];
(gdb) bt
#0  0x000000000041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
    at substmap.c:151
#1  0x0000000000417e09 in convert_char (uc=-1) at charsets.c:241
#2  0x00000000004064e1 in copy_out (f=f@entry=0x6aec90,
    header=header@entry=0x7fffffffe340 "P\317\021\340\241\261\032\341\032")
    at reader.c:82
#3  0x000000000040a808 in analyze_format (f=f@entry=0x6aec90) at analyze.c:75
#4  0x000000000040378c in main (argc=<optimized out>, argv=<optimized out>)
    at catdoc.c:180


I'm reporting this as "important" because I believe that running
catdoc on untrusted input should not result in a segfault.  It may
be a security-sensitive issue too, although that is not 100%
confirmed.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages catdoc depends on:
ii  libc6  2.19-18+deb8u1

catdoc recommends no packages.

Versions of packages catdoc suggests:
ii  tk [wish]  8.6.0+8

-- no debconf information

x.doc.gz
Description: application/gzip

--- End Message ---

--- Begin Message ---

Source: catdoc
Source-Version: 1:0.95-1

We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 810...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martín Ferrari <tin...@debian.org> (supplier of updated catdoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Mar 2017 19:09:42 +0000
Source: catdoc
Binary: catdoc
Architecture: source amd64
Version: 1:0.95-1
Distribution: unstable
Urgency: medium
Maintainer: Martín Ferrari <tin...@debian.org>
Changed-By: Martín Ferrari <tin...@debian.org>
Description:
 catdoc     - text extractor for MS-Office files
Closes: 810883 815109 842285
Changes:
 catdoc (1:0.95-1) unstable; urgency=medium
 .
   * New upstream release. Closes: #810883.
   * Drop already applied patches.
   * Add debian/watch file.
   * debian/control: Update Standards-Version with no changes.
   * debian/copyright: Add upstream's contact email. Closes: #842285.
   * debian/control: Improve package description, thanks to Justin B Rye for the
     patch. Closes: #815109.
   * debian/control: Move Homepage to source section.
Checksums-Sha1:
 f72108b923e00ee6834f5d8989c514d774b0c2fa 1831 catdoc_0.95-1.dsc
 0da301e347e36fdf1f3fd3bf0bd4bf2626cb6263 169084 catdoc_0.95.orig.tar.gz
 2fb0becf677f2dbac4c529334ff85c74b6d0cdb9 9944 catdoc_0.95-1.debian.tar.xz
 3a6d530732b1cda4d3b111e3a4e3747162af18b0 122836 catdoc-dbgsym_0.95-1_amd64.deb
 f2ec21454f7214badf6d477ed72769fea8a87fd4 5292 catdoc_0.95-1_amd64.buildinfo
 2d01350e42cfb1bd4cc4057244b363a204129bf1 89504 catdoc_0.95-1_amd64.deb
Checksums-Sha256:
 c6e80f3e8559004bfe47b24c13b1bdcfa2cb0e8dc0c1d7233f302eb8b79aca1a 1831 
catdoc_0.95-1.dsc
 0d6ef66ff18d93915e62d77845194ba92bf49b60305c51f866a6f55421e37a79 169084 
catdoc_0.95.orig.tar.gz
 859224e2dc25788e7941c870213a81f35337299b8d69b517bf70df8707ebf608 9944 
catdoc_0.95-1.debian.tar.xz
 8509ebc85098811c98fca3aaa966171d21d22808a274b0f9a9b00c7ab197cecd 122836 
catdoc-dbgsym_0.95-1_amd64.deb
 6c1e426d2f017da75d258cec103146701a749c961cbbb01323d7eb8e8c6a43ab 5292 
catdoc_0.95-1_amd64.buildinfo
 e352c948c7eb5729d887e592fa711dadd0281b98e263c2cbf8525d546f72953f 89504 
catdoc_0.95-1_amd64.deb
Files:
 ae10b0d2d01cb4438eb565a55e5dc0c4 1831 text optional catdoc_0.95-1.dsc
 f047aff8913d36aada5ab98d3621fb82 169084 text optional catdoc_0.95.orig.tar.gz
 b489d5493558660862adadb197b08c29 9944 text optional catdoc_0.95-1.debian.tar.xz
 902060b43266200ebab02c65180f06bc 122836 debug extra 
catdoc-dbgsym_0.95-1_amd64.deb
 43327e34cc3495bbaa8d8d93b0dbc5ec 5292 text optional 
catdoc_0.95-1_amd64.buildinfo
 c203fba68d682077548edb794b549833 89504 text optional catdoc_0.95-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEETe94h3mvRsa9AoOeXdjgv5Gj09oFAljcBq4ACgkQXdjgv5Gj
09plbg//ZOrus/dCgoYwKHRlOk9d4cXPYjtYKoY0jGuApF46IeY6cLTi9wardhNf
zg8L9MizfqsNkA0CKgon/T2UgswEtdhKN3homiRN1pxzI3VEXJirga+ADFO/a0wW
Xa0JIPHB2xm3R2ZDRDgrvDaaOyS3apim4jtZfFDpHmzjxnxy9yJmlMbG75FNRkG+
YY4DQVkdnLBEq8iXLOvkpAXQBbzn+EminWkHEpBXCAQtB7rkfkJE0QTcn/fMQEan
K2RSQ9lA9X+lC5LxAmB5M76ZjuSSc7Glow5GAp3mp3GEeSm05kW1jVtSlh33uwYF
rd2QOvHYc9ZQHxdy7RVQcSL0T7wGIPPFpApuzXMu7WomNnax2fIQmocuOiVj91uU
WFqcFzT72vIndDmF8XO2MPQ4WChHV6Y6LwlGRq/GQPp+8Rql6EJqTIfVUnoW6pD0
B4AuaxiHAaNYLKetjp0Dbx6L2U4oT81RW9awOLwi9QQoKHkqkcpOiTTFORZuTgKf
nSATky2g6YVfpSz+ki8y1BPNwTayrMBhctf6l8qu03Cu5V1S/kEH3r+SbDZL47F7
o/jlo1/4IfC2qo3W8nLZpF/CQzvA0D376zwX9OxuxrWrmTt09k5544hkQhgHWPrl
d17YzZLM+ZZ5OCpTMRm//bPSgnb0yLUdVNHkuefrXTA8z2TwyFI=
=p+Du
-----END PGP SIGNATURE-----

--- End Message ---