Gentoo Bug 106898 - app-office/{koffice|kword} RTF import import heap corruption (vendor-sec) (CAN-2005-2971)

Flags:

Requestee:

Pending

Approved

Assigned_To

()

Filename

Description

Type

Creator

Created

Size

Actions

Create a New Attachment (proposed patch, testcase, etc.)

View All

Bug 106898 depends on:

Show dependency tree

Bug 106898 blocks:

Description:

Opened: 2005-09-22 09:53 0000

CESA-2005-005 - rev 1 
 
KWord RTF import heap corruption 
================================ 
 
Programs affected: KWord 
Severity: Possible arbitrary code execution. 
Discovered date: Forgotten 
Vendor notified date: Sep 22nd 2005 
 
Demo RTF: http://scary.beasts.org/misc/out27.rtf 
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2) 
 
rpm -q koffice-kword 
koffice-kword-1.4.1-4.fc4 
 
Resultant stack trace: 
 
(gdb) bt 
#0  0x06d0706c in _int_malloc () from /lib/libc.so.6 
#1  0x06d08492 in malloc () from /lib/libc.so.6 
#2  0x06aaef56 in operator new () from /usr/lib/libstdc++.so.6 
#3  0x06aaf06d in operator new[] () from /usr/lib/libstdc++.so.6 
#4  0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#5  0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#6  0x012d8143 in QString::operator+= () 
from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#7  0x007466f9 in RTFImport::convert () from /usr/lib/kde3/librtfimport.so 
 
CESA-2005-005 - rev 1 
Chris Evans 
scarybeasts@gmail.com

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-07 11:39:13 0000 -------


*** This bug has been marked as a duplicate of 108411 ***

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-10-08 22:25:20 0000 -------

CC'ing maintainer/arch security liaisons on this one to see the PoC. Do not 
redistribute.

Bugzilla Bug 106898

app-office/{koffice|kword} RTF import import heap corruption (vendor-sec) (CAN-2005-2971)

Last modified: 2007-08-16 18:37:32 0000