Bug#810883: catdoc: Invalid memory access and segfaulting
On 15/01/16 07:10, Steve Kemp wrote: > Great. I have about twenty more files that crash the version of > catdoc available to sid. I will wait to see your fix, and once posted > I'll test the current samples against them, I expect that some of them are > non-unique. The new upstream version seems to fix this: $ catdoc xx.doc Broken OLE file. Try using -b switch $ catdoc -b xx.doc | head Company Logo Here Your Company Name Here INVOICE Your Street Address Here Invoice Number: Your City/State/Zip Here So I will close this bug on upload, as neither samples make it segfault any more. Please, open more bugs if your other test files make it segfault. -- Martín Ferrari (Tincho)
Bug#810883: catdoc: Invalid memory access and segfaulting
On Wed Jan 13, 2016 at 18:08:44 -0300, Martín Ferrari wrote: > > When running under valgrind we see that an attempt is made to access > > an invalid pointer: > > This is a known issue (#679877), it was fixed when I took over this > package, and it has already reached testing. Having the fixed package reach testing is good for users running testing, but not much use to people running stable/jessie as I am. I think that this is certainly a bug worthy of a DSA, or update in the next point-release. Memory corruption via reading a file smells like a security issue. > with the latest catdoc, and it does not segfault. > Can you verify this? Yes. Latest catdoc doesn't segfault with `x.doc`, but continues to segfault with `xx.doc` (attached). Steve -- xx.doc.gz Description: application/gzip
Bug#810883: catdoc: Invalid memory access and segfaulting
On 14/01/16 07:51, Steve Kemp wrote: > On Wed Jan 13, 2016 at 18:08:44 -0300, Martín Ferrari wrote: > >>> When running under valgrind we see that an attempt is made to access >>> an invalid pointer: >> >> This is a known issue (#679877), it was fixed when I took over this >> package, and it has already reached testing. > > Having the fixed package reach testing is good for users running > testing, but not much use to people running stable/jessie as I am. Fair enough. In any case, I am going to upload to backports as soon as the version in sid stabilises. > I think that this is certainly a bug worthy of a DSA, or update > in the next point-release. Memory corruption via reading a file > smells like a security issue. Well, I think a DSA would be too much for a tool like this :) Specially since there has not been any PoC to show a real security issue. I would like to lower the severity of this bug, but I would gladly keep it if you can find a real threat there. >> with the latest catdoc, and it does not segfault. >> Can you verify this? > > Yes. Latest catdoc doesn't segfault with `x.doc`, but continues > to segfault with `xx.doc` (attached). Thanks for the test file. i will debug this and try to come up with a fix. -- Martín Ferrari (Tincho)
Bug#810883: catdoc: Invalid memory access and segfaulting
> Fair enough. In any case, I am going to upload to backports as soon as > the version in sid stabilises. Great. > Well, I think a DSA would be too much for a tool like this :) Specially > since there has not been any PoC to show a real security issue. I won't try to force it, but I'd certainly consider it worthy of such a thing. Just because people, like me, use catdoc in their console-mail clients to read arbitrary/untrusted documents received. If there is even a hint that memory corruption can lead to code execution that's a severe problem. > like to lower the severity of this bug, but I would gladly keep it if > you can find a real threat there. I suspect the only way to know for sure is to develop an exploit, and memory-corruption issues are something I've not touched for a while - buffer overflows are much easier to reason about! > Thanks for the test file. i will debug this and try to come up with a fix. Great. I have about twenty more files that crash the version of catdoc available to sid. I will wait to see your fix, and once posted I'll test the current samples against them, I expect that some of them are non-unique. Steve --
Bug#810883: catdoc: Invalid memory access and segfaulting
Package: catdoc Version: 0.94.4-1.1 Severity: important Tags: security Dear Maintainer, The attached word document will cause catdoc to crash when executed: catdoc x.doc When running under valgrind we see that an attempt is made to access an invalid pointer: ==6875== Invalid read of size 8 ==6875==at 0x41B91D: map_subst (substmap.c:151) ==6875==by 0x417E08: convert_char (charsets.c:241) ==6875==by 0x4064E0: copy_out (reader.c:82) ==6875==by 0x40A807: analyze_format (analyze.c:75) ==6875==by 0x40378B: main (catdoc.c:180) ==6875== Address 0xd221cf8 is not stack'd, malloc'd or (recently) free'd Running under gdb we see this is the area of code in question: (gdb) run ~/x.doc Starting program: /home/steve/inst/bin/catdoc x.doc Program received signal SIGSEGV, Segmentation fault. 0x0041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1) at substmap.c:151 151 char **p=map[(unsigned)uc >>8]; (gdb) bt #0 0x0041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1) at substmap.c:151 #1 0x00417e09 in convert_char (uc=-1) at charsets.c:241 #2 0x004064e1 in copy_out (f=f@entry=0x6aec90, header=header@entry=0x7fffe340 "P\317\021\340\241\261\032\341\032") at reader.c:82 #3 0x0040a808 in analyze_format (f=f@entry=0x6aec90) at analyze.c:75 #4 0x0040378c in main (argc=, argv=) at catdoc.c:180 I'm reporting this as "important" because I believe that running catdoc on untrusted input should not result in a segfault. It may be a security-sensitive issue too, although that is not 100% confirmed. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages catdoc depends on: ii libc6 2.19-18+deb8u1 catdoc recommends no packages. Versions of packages catdoc suggests: ii tk [wish] 8.6.0+8 -- no debconf information x.doc.gz Description: application/gzip
Bug#810883: catdoc: Invalid memory access and segfaulting
Hi Steve, On 13/01/16 07:24, Steve Kemp wrote: > The attached word document will cause catdoc to crash when executed: > > catdoc x.doc > > When running under valgrind we see that an attempt is made to access > an invalid pointer: This is a known issue (#679877), it was fixed when I took over this package, and it has already reached testing. I have tested your file with the latest catdoc, and it does not segfault. Can you verify this? Thanks. -- Martín Ferrari (Tincho)