[sw-issues] [Issue 46388] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46388 --- Additional comments from [EMAIL PROTECTED] Wed Apr 6 19:50:48 -0700 2005 --- next week,can i release this security advisory? - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46388] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46388 --- Additional comments from [EMAIL PROTECTED] Mon Apr 4 20:26:07 -0700 2005 --- i think we should patch this bug faster ,for malicious attacker can send other people a malicious .doc document,and maybe cause arbitrary code excute. of course, we should alert OOo's user to update their software to defeat malicious attacker. - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46388] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46388 --- Additional comments from [EMAIL PROTECTED] Fri Apr 1 20:08:51 -0800 2005 --- Max, this issue also exists with development builds of 2.0 too,i have tested OOo_1.9.87. thanks,airsupply - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46388] New - OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46388 Issue #:|46388 Summary:|OpenOffice DOC document Heap Overflow Component:|Word processor Version:|OOo 1.1.4 Platform:|All URL:| OS/Version:|All Status:|UNCONFIRMED Status whiteboard:| Keywords:| Resolution:| Issue type:|DEFECT Priority:|P3 Subcomponent:|code Assigned to:|mru Reported by:|airsupply --- Additional comments from [EMAIL PROTECTED] Thu Mar 31 04:12:49 -0800 2005 --- OpenOffice DOC document Heap Overflow [Security Advisory] Advisory[AD_LAB-05001] OpenOffice DOC document Heap Overflow Class: Design Error DATE:30/3/2005 Vulnerable: =OpenOffice OpenOffice 1.1.4 Unvulnerable: Unknow Vendor: www.openoffice.org I.DESCRIPTION: - OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities. The vulnerability is caused due to a error within the .Doc document header processing.This can be exploited to cause a heap-based buffer overflow. II.DETAILS: -- There is a vulnerability in StgCompObjStream::Load() function When reading DOC document information of formatmemory is allocated by DOC provide length. DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate memory, but when reading doc information,still use the 32 bits number as length,this maybe cause heap overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code excute . BOOL StgCompObjStream::Load() { memset( aClsId, 0, sizeof( ClsId ) ); nCbFormat = 0; aUserName.Erase(); if( GetError() != SVSTREAM_OK ) return FALSE; Seek( 8L ); INT32 nMarker = 0; *this nMarker; if( nMarker == -1L ) { *this aClsId; INT32 nLen1 = 0; *this nLen1; // we can control this 32 bits int sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to allocate memory if( Read( p, nLen1 ) == (ULONG) nLen1 ) //still use 32 bits int as length,if failed, // will goto free step,maybe cause write pointer. { aUserName = String( p, gsl_getSystemTextEncoding() ); nCbFormat = ReadClipboardFormat( *this ); } else SetError( SVSTREAM_GENERALERROR ); delete [] p; //free step,heap overflow cause write pointer. } return BOOL( GetError() == SVSTREAM_OK ); } example: if we provide 0x1018 to nLen1,will allocate 0x18 length memory, Read( p, nLen1 ) still use 0x1018 as length,then, read will fail, but readed length is bigger than allocated memory,and overwrite the next chunk. when goto delete [] p;,write pointer happened. we had triggered this problem successful,and cause arbitrary code excute . StartOffice maybe affected too. did not test. III.CREDIT: -- AD-LAB discovery this vuln:) Vulnerability analysis and advisory by A1rsupp1y. Special thanks to xalan's discussion. Thank to Sam,icbm,liangbin and all Venustech AD-Lab guys:P. V.DISCLAIMS: --- The information in this bulletin is provided AS IS without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2005 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46388] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46388 User airsupply changed the following: What|Old value |New value Attachment data| |Created an attachment | |(id=24466) test under | |linux with OOo.1.1.4 and | |1.1.2 --- Additional comments from [EMAIL PROTECTED] Thu Mar 31 04:21:04 -0800 2005 --- Created an attachment (id=24466) test under linux with OOo.1.1.4 and 1.1.2 - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46276] New - OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46276 Issue #:|46276 Summary:|OpenOffice DOC document Heap Overflow Component:|Word processor Version:|OOo 1.1.4 Platform:|All URL:| OS/Version:|All Status:|UNCONFIRMED Status whiteboard:| Keywords:| Resolution:| Issue type:|DEFECT Priority:|P3 Subcomponent:|code Assigned to:|mru Reported by:|airsupply --- Additional comments from [EMAIL PROTECTED] Wed Mar 30 01:40:55 -0800 2005 --- OpenOffice DOC document Heap Overflow [Security Advisory] Advisory[AD_LAB-05001] OpenOffice DOC document Heap Overflow Class: Design Error DATE:30/3/2005 Vulnerable: =OpenOffice OpenOffice 1.1.4 Unvulnerable: Unknow Vendor: www.openoffice.org I.DESCRIPTION: - OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities. The vulnerability is caused due to a error within the .Doc document header processing.This can be exploited to cause a heap-based buffer overflow. II.DETAILS: -- There is a vulnerability in StgCompObjStream::Load() function When reading DOC document information of formatmemory is allocated by DOC provide length. DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate memory, but when reading doc information,still use the 32 bits number as length,this maybe cause heap overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code excute . BOOL StgCompObjStream::Load() { memset( aClsId, 0, sizeof( ClsId ) ); nCbFormat = 0; aUserName.Erase(); if( GetError() != SVSTREAM_OK ) return FALSE; Seek( 8L ); INT32 nMarker = 0; *this nMarker; if( nMarker == -1L ) { *this aClsId; INT32 nLen1 = 0; *this nLen1; // we can control this 32 bits int sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to allocate memory if( Read( p, nLen1 ) == (ULONG) nLen1 ) //still use 32 bits int as length,if failed, // will goto free step,maybe cause write pointer. { aUserName = String( p, gsl_getSystemTextEncoding() ); nCbFormat = ReadClipboardFormat( *this ); } else SetError( SVSTREAM_GENERALERROR ); delete [] p; //free step,heap overflow cause write pointer. } return BOOL( GetError() == SVSTREAM_OK ); } example: if we provide 0x1018 to nLen1,will allocate 0x18 length memory, Read( p, nLen1 ) still use 0x1018 as length,then, read will fail, but readed length is bigger than allocated memory,and overwrite the next chunk. when goto delete [] p;,write pointer happened. we had triggered this problem successful,and cause arbitrary code excute . StartOffice maybe affected too. did not test. III.CREDIT: -- AD-LAB discovery this vuln:) Vulnerability analysis and advisory by A1rsupp1y. Special thanks to xalan's discussion. Thank to Sam,icbm,liangbin and all Venustech AD-Lab guys:P. V.DISCLAIMS: --- The information in this bulletin is provided AS IS without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2005 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46276] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46276 User airsupply changed the following: What|Old value |New value Attachment data| |Created an attachment | |(id=24401) vul doc for | |test --- Additional comments from [EMAIL PROTECTED] Wed Mar 30 01:43:12 -0800 2005 --- Created an attachment (id=24401) vul doc for test - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46276] OpenOffice DOC document Heap Overflow
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46276 --- Additional comments from [EMAIL PROTECTED] Wed Mar 30 01:47:56 -0800 2005 --- affect all stable openoffice ,maybe current too. - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46276] OpenOffice DOC document Heap Overflow importing Word doc
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46276 --- Additional comments from [EMAIL PROTECTED] Wed Mar 30 03:35:20 -0800 2005 --- sorry, it's for linux ,i did not test under windows system - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sw-issues] [Issue 46276] OpenOffice DOC document Heap Overflow importing Word doc
To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=46276 User airsupply changed the following: What|Old value |New value Attachment data| |Created an attachment | |(id=24407) sorry for my | |fault,vul.doc is correct , | |the vul3.doc is the vul | |doc --- Additional comments from [EMAIL PROTECTED] Wed Mar 30 03:43:50 -0800 2005 --- Created an attachment (id=24407) sorry for my fault,vul.doc is correct , the vul3.doc is the vul doc - Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]