Bug 108411 - app-office/{koffice,kword}: heap overflow in rtf import filter (CAN-2005-2971)
Bug#: 108411 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-office/{koffice,kword}: heap overflow in rtf import filter (CAN-2005-2971)
Keywords:  
Status Whiteboard: B3 [glsa] jaervosz
Opened: 2005-10-07 10:43 0000
Description:   Opened: 2005-10-07 10:43 0000 
The advisory should follow next monday.

------- Comment #1 From Carsten Lohrke 2005-10-07 10:44:50 0000 ------- 
Created an attachment (id=70104) [details]
kword-3.4.1-rtfimport.diff

------- Comment #2 From Carsten Lohrke 2005-10-07 10:47:41 0000 ------- 
Created an attachment (id=70105) [details]
kword-1.4.1-r1.ebuild

For those archs who want to check already... alpha and ppc64 don't have KOffice
1.4 marked stable yet, but the patch applies to KOffice 1.3.5 as well.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-10-07 11:38:52 0000 ------- 
This is CAN-2005-2971

------- Comment #4 From Thierry Carrez (RETIRED) 2005-10-07 11:39:13 0000 ------- 
*** Bug 106898 has been marked as a duplicate of this bug. ***

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-10-07 23:56:42 0000 ------- 
Thx Carsten, do you have a draft advisory and an updated kword ebuild? 
     
Calling arch security liaisons:     
     
alpha  kloeri     
amd64  blubb     
ppc  hansmi     
ppc64  tgall     
sparc  gustavoz     
x86  tester    
    
Do NOT commit anything to Portage.

------- Comment #6 From Simon Stelling (RETIRED) 2005-10-08 02:18:31 0000 ------- 
CC'ing cryos since he's our kde-guy ;)

------- Comment #7 From Carsten Lohrke 2005-10-08 06:45:59 0000 ------- 
Created an attachment (id=70151) [details]
advisory-20051010-1.txt

(In reply to comment #5)
> Thx Carsten, do you have a draft advisory 

Sure, it's terse, though.

> and an updated kword ebuild? 

Is the one I attached not good enough?

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-10-08 07:40:24 0000 ------- 
Sorry I meant koffice, if you want that tested too.

------- Comment #9 From Marcus D. Hanwell 2005-10-08 13:23:07 0000 ------- 
Tested kword here. I was able to both save and open rtf files. Is there any 
test rtf file I should be trying? Otherwise amd64 looks good to go here - all 
the normal stuff seems to work as always.

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-08 15:37:19 0000 ------- 
Looks good for ppc.

------- Comment #11 From Carsten Lohrke 2005-10-08 16:04:01 0000 ------- 
Sune: The code is the same...

Marcus: I don't have a test rtf.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-10-09 09:27:36 0000 ------- 
PoC RTF @ http://scary.beasts.org/misc/out27.rtf

------- Comment #13 From Olivier Crete 2005-10-10 08:46:15 0000 ------- 
I dont do kde... 
Carlo: are you on x86?

------- Comment #14 From Bryan Østergaard (RETIRED) 2005-10-10 16:26:47 0000 ------- 
Good on alpha.

------- Comment #15 From Gustavo Zacarias (RETIRED) 2005-10-10 19:39:29 0000 ------- 
Adding weeve since he's our KDE man(tm) (and my KDE is b0rked).

------- Comment #16 From Sune Kloppenborg Jeppesen 2005-10-11 06:20:55 0000 ------- 
1.4.2 released but no apparent mention of this issue. Let's keep this closed 
until their advisory is out. 
 
Note: Good on alpha and ppc so far.

------- Comment #17 From Sune Kloppenborg Jeppesen 2005-10-11 07:24:54 0000 ------- 
This is now public. 
 
Carlo please commit an updated ebuild and we'll call remaining arches to mark 
stable

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-10-11 07:34:40 0000 ------- 
Fixed ebuilds are already in the tree. 
 
Arches please test and mark 1.4.1-r1 or 1.4.2 stable. 
 
KDE, please follow normal security release procedures next time.

------- Comment #19 From Gregorio Guidi (RETIRED) 2005-10-11 07:51:16 0000 ------- 
I committed the fixed ebuilds a few hours ago, sorry. 
 
The ebuilds that are ready to be marked stable are app-office/koffice-1.4.1-r1 
and app-office/kword-1.4.1-r1. 
ppc64: I see you don't have koffice/kword-1.4.x marked stable, do you think 
you can mark it stable right now or do you prefer to have a patched version of 
koffice/kword-1.3.x too?

------- Comment #20 From Carsten Lohrke 2005-10-11 07:58:31 0000 ------- 
I just committed koffice-1.3.5-r3 and kword-1.3.5-r1 for those who don't see
KOffice 1.4 stable on their architecture yet.


(In reply to comment #13)
> I dont do kde... 
> Carlo: are you on x86?

Yes, marked stable already.

------- Comment #21 From Marcus D. Hanwell 2005-10-11 08:17:33 0000 ------- 
amd64 done.

------- Comment #22 From Bryan Østergaard (RETIRED) 2005-10-11 14:14:45 0000 ------- 
Alpha done.

------- Comment #23 From Jason Wever (RETIRED) 2005-10-11 23:51:24 0000 ------- 
And on the 7th day, there was SPARC, and it was good.

------- Comment #24 From Joe Jezak 2005-10-12 09:14:05 0000 ------- 
Marked ppc stable.

------- Comment #25 From Brent Baude 2005-10-13 13:31:31 0000 ------- 
Marked app-office/koffice-1.4.1-r1 and app-office/kword-1.4.1-r1 and supporting
deps ppc64 today.

------- Comment #26 From Sune Kloppenborg Jeppesen 2005-10-13 13:34:12 0000 ------- 
This one is ready for GLSA.

------- Comment #27 From Sune Kloppenborg Jeppesen 2005-10-14 00:33:38 0000 ------- 
GLSA 200510-12 
 
Note: Both Thierry and I voted for GLSA on this one on IRC.