On 14/01/16 07:51, Steve Kemp wrote: > On Wed Jan 13, 2016 at 18:08:44 -0300, Martín Ferrari wrote: > >>> When running under valgrind we see that an attempt is made to access >>> an invalid pointer: >> >> This is a known issue (#679877), it was fixed when I took over this >> package, and it has already reached testing. > > Having the fixed package reach testing is good for users running > testing, but not much use to people running stable/jessie as I am.
Fair enough. In any case, I am going to upload to backports as soon as the version in sid stabilises. > I think that this is certainly a bug worthy of a DSA, or update > in the next point-release. Memory corruption via reading a file > smells like a security issue. Well, I think a DSA would be too much for a tool like this :) Specially since there has not been any PoC to show a real security issue. I would like to lower the severity of this bug, but I would gladly keep it if you can find a real threat there. >> with the latest catdoc, and it does not segfault. >> Can you verify this? > > Yes. Latest catdoc doesn't segfault with `x.doc`, but continues > to segfault with `xx.doc` (attached). Thanks for the test file. i will debug this and try to come up with a fix. -- Martín Ferrari (Tincho)