Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Ubuntu reports (edited): Hello everyone, While digging into a segv-during-mem-read crash reported to us, I discovered that it was possible to overwrite heap memory using a crafted PPT file. The problem is in filters/olefilters/lib/klaola.cc (which I think was removed in the 1.5.x koffice tree, and put back in 1.6.x): void KLaola::readBigBlockDepot() { bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks]; for(unsigned int i=0; i<num_of_bbd_blocks; ++i) memcpy(&bigBlockDepot[i*0x200], &m_file.data[(bbd_list[i]+1)*0x200], 0x200); } num_of_bbd_blocks comes directly from the file being read and can wrap when multiplied, reading file contents into heap memory. I think it could be exploited, but it would be tricky, since you need to not write past the end of the heap segment when doing it. At least on my amd64 machine this looks to be possible, though glibc notices the problem and tries to shut down: $ kpresenter /tmp/evil.ppt *** glibc detected *** malloc(): memory corruption: 0x0000000000826e80 *** Alarm clock -- Kees Cook
Created an attachment (id=102512) [edit] koffice-ole-filter.patch Proposed patch.
If needed there is a PoC.
Created an attachment (id=102525) [edit] koffice-libs-1.4.2.ebuild
Created an attachment (id=102526) [edit] koffice-libs-1.6.0.ebuild
Created an attachment (id=102529) [edit] koffice-1.4.2-r7.ebuild
Created an attachment (id=102530) [edit] koffice-1.6.0-r2.ebuild
For some reason, the patch does not apply over 1.5 versions, I'm not yet sure why.
It seems the patched files do not exist at all on 1.5 series so should be okay this way.
Arch security liaisons, please test and report back on this bug.
I think this is not confidential anymore, 1.6.1 got released and Cyrille posted this on the public koffice-devel: http://lists.kde.org/?l=koffice-devel&m=116423488211928&w=3 No arch reported anything yet?
jup, this is public - ubuntu issued an advisory. arches, please test and stable
Arches please test and mark stable. Target keywords are: koffice-1.4.2-r7.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86" koffice-1.6.0-r2.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ppc64 sparc x86"
Don't mark stable the 1.6 series - talked about it with Flameeyes earlier today. Current stable (1.5) isn't affected and according to Diego 1.4 will be gone soon from the tree so we (archs) shouldn't need to do anything about this bug. Correct me if i'm wrong of course :)
Thx Gustavox for posting. Corrected target keywords are: koffice-1.4.2-r7.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86" koffice-1.6.0-r2.ebuild:KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" So only 1.4.x series need stable marking. Sorry for the confusion.
to make it even more confusing: the revisions of the ebuild are one version to low. commited ebuilds are: koffice-1.4.2-r8.ebuild and koffice-1.6.0-r3.ebuild ppc64 stable BTW
app-office/koffice-1.4.2-r7 USE="-arts -debug -doc -javascript -mysql -postgres -xinerama" 1. emerges on x86 2. fails test suite: make[4]: Entering directory `/var/tmp/portage/koffice-1.4.2-r7/work/koffice-1.4.2/lib/store/tests' i686-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I. -I../../.. -I./.. -I/usr/kde/3.5/include -I/usr/qt/3/include -I. -I/usr/kde/3.5/include -DQT_THREAD_SUPPORT -D_REENTRANT -Wno-long-long -Wundef -ansi -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -Wcast-align -Wconversion -Wchar-subscripts -Wall -W -Wpointer-arith -DNDEBUG -DNO_DEBUG -O2 -O2 -march=prescott -pipe -fomit-frame-pointer -Wformat-security -Wmissing-format-attribute -Wno-non-virtual-dtor -fno-exceptions -fno-check-new -fno-common -DQT_CLEAN_NAMESPACE -DQT_NO_ASCII_CAST -DQT_NO_STL -DQT_NO_COMPAT -DQT_NO_TRANSLATION -DHAVE_KNEWSTUFF -c -o storage_test.o `test -f 'storage_test.cpp' || echo './'`storage_test.cpp In file included from storage_test.cpp:25: ./../koStore.h:28:28: error: koffice_export.h: No such file or directory ./../koStore.h:40: error: invalid function declaration --- snip --- 3. passes collision test 4. works Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.3 i686) ================================================================= System uname: 2.6.18.3 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Thu, 30 Nov 2006 15:01:02 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
01 Dec 2006; Diego Petten
01 Dec 2006; Diego Pettenò <flameeyes@gentoo.org> -files/post-1.3-koffice-CAN-2005-3193.diff, -files/kexi-1.4.2-gcc41.patch, -files/krita-1.4.2-gcc41.patch, -files/kspread-1.4.2-gcc41.patch, -files/kexi-1.5.1-form_plugins.patch, -files/kexi-1.5.1-kexi_checkbox_data_saving.patch, -koffice-1.4.2-r6.ebuild, -koffice-1.4.2-r7.ebuild, -koffice-1.4.2-r8.ebuild, -koffice-1.5.1-r1.ebuild, -koffice-1.5.2.ebuild, -koffice-1.6.0-r1.ebuild, -koffice-1.6.0-r2.ebuild: Cleanup of old versions. So there's nothing to do for us (architectures), right?
sparc nothin'! call us back if there's anything to do later on.
un-cc'ing ppc
Removing alpha/amd64/x86... feel free to add us back if we need to do anything.
looks like the not affected 1.5 branch is stable. ready for glsa
Diego it appears that the lastest stable version for all arches were 1.5.x at the time of filing the bug, is that correct?
jaevorsz: no, 1.4.2 and 1.4.2-r1 were stable and were only removed the 1st december
shellsage just pointed out that there were not the *latest* stable versions. Indeed 1.5.2 has been in the stable tree for a while now..., but vulnerable 1.4.x versions remained in the stable tree until Dec 1st.
GLSA 200612-05
ia64 stable
