Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155914 - app-office/koffice-libs koffice 1.4.x, 1.6.x integer overflow (CVE-2006-6120)
Summary: app-office/koffice-libs koffice 1.4.x, 1.6.x integer overflow (CVE-2006-6120)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-21 22:49 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-03-31 11:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
koffice-ole-filter.patch (koffice-ole-filter.patch,3.38 KB, patch)
2006-11-21 22:50 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
koffice-libs-1.4.2.ebuild (koffice-libs-1.4.2.ebuild,1.21 KB, text/plain)
2006-11-22 03:36 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
koffice-libs-1.6.0.ebuild (koffice-libs-1.6.0.ebuild,1.36 KB, text/plain)
2006-11-22 03:36 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
koffice-1.4.2-r7.ebuild (koffice-1.4.2-r7.ebuild,1.76 KB, text/plain)
2006-11-22 03:44 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
koffice-1.6.0-r2.ebuild (koffice-1.6.0-r2.ebuild,2.38 KB, patch)
2006-11-22 03:46 UTC, Diego Elio Pettenò (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-21 22:49:29 UTC
Ubuntu reports (edited):

Hello everyone,

While digging into a segv-during-mem-read crash reported to us, I 
discovered that it was possible to overwrite heap memory using a crafted 
PPT file.  The problem is in filters/olefilters/lib/klaola.cc (which 
I think was removed in the 1.5.x koffice tree, and put back in 1.6.x):

void KLaola::readBigBlockDepot() {
    bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks];
    for(unsigned int i=0; i<num_of_bbd_blocks; ++i)
        memcpy(&bigBlockDepot[i*0x200], &m_file.data[(bbd_list[i]+1)*0x200], 0x200);
}

num_of_bbd_blocks comes directly from the file being read and can wrap 
when multiplied, reading file contents into heap memory.  I think it 
could be exploited, but it would be tricky, since you need to not write 
past the end of the heap segment when doing it.  At least on my amd64 
machine this looks to be possible, though glibc notices the problem and 
tries to shut down:

$ kpresenter /tmp/evil.ppt
*** glibc detected *** malloc(): memory corruption: 0x0000000000826e80 ***
Alarm clock

-- 
Kees Cook
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-21 22:50:54 UTC
Created attachment 102512 [details, diff]
koffice-ole-filter.patch

Proposed patch.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-21 22:52:38 UTC
If needed there is a PoC.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:36:11 UTC
Created attachment 102525 [details]
koffice-libs-1.4.2.ebuild
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:36:26 UTC
Created attachment 102526 [details]
koffice-libs-1.6.0.ebuild
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:44:58 UTC
Created attachment 102529 [details]
koffice-1.4.2-r7.ebuild
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:46:00 UTC
Created attachment 102530 [details, diff]
koffice-1.6.0-r2.ebuild
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:47:03 UTC
For some reason, the patch does not apply over 1.5 versions, I'm not yet sure why.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 03:55:28 UTC
It seems the patched files do not exist at all on 1.5 series so should be okay this way.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-26 23:25:43 UTC
Arch security liaisons, please test and report back on this bug.

Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-29 14:48:15 UTC
I think this is not confidential anymore, 1.6.1 got released and Cyrille posted this on the public koffice-devel: http://lists.kde.org/?l=koffice-devel&m=116423488211928&w=3

No arch reported anything yet?
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-29 17:15:56 UTC
jup, this is public - ubuntu issued an advisory.

arches, please test and stable
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-29 21:06:50 UTC
Arches please test and mark stable. Target keywords are:

koffice-1.4.2-r7.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"
koffice-1.6.0-r2.ebuild:KEYWORDS="alpha amd64 ~hppa ia64 ppc ppc64 sparc x86"
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-30 10:33:31 UTC
Don't mark stable the 1.6 series - talked about it with Flameeyes earlier today.
Current stable (1.5) isn't affected and according to Diego 1.4 will be gone soon from the tree so we (archs) shouldn't need to do anything about this bug.
Correct me if i'm wrong of course :)
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-30 10:37:11 UTC
Thx Gustavox for posting. Corrected target keywords are:

koffice-1.4.2-r7.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"
koffice-1.6.0-r2.ebuild:KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"

So only 1.4.x series need stable marking. Sorry for the confusion.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2006-11-30 12:48:19 UTC
to make it even more confusing: the revisions of the ebuild are one version to low. commited ebuilds are:

koffice-1.4.2-r8.ebuild and
koffice-1.6.0-r3.ebuild

ppc64 stable BTW
Comment 16 Markus Meier gentoo-dev 2006-11-30 12:57:33 UTC
app-office/koffice-1.4.2-r7  USE="-arts -debug -doc -javascript -mysql -postgres -xinerama"
1. emerges on x86
2. fails test suite:
make[4]: Entering directory `/var/tmp/portage/koffice-1.4.2-r7/work/koffice-1.4.2/lib/store/tests'
i686-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I. -I../../.. -I./.. -I/usr/kde/3.5/include -I/usr/qt/3/include -I.  -I/usr/kde/3.5/include  -DQT_THREAD_SUPPORT  -D_REENTRANT  -Wno-long-long -Wundef -ansi -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -Wcast-align -Wconversion -Wchar-subscripts -Wall -W -Wpointer-arith -DNDEBUG -DNO_DEBUG -O2 -O2 -march=prescott -pipe -fomit-frame-pointer -Wformat-security -Wmissing-format-attribute -Wno-non-virtual-dtor -fno-exceptions -fno-check-new -fno-common -DQT_CLEAN_NAMESPACE -DQT_NO_ASCII_CAST -DQT_NO_STL -DQT_NO_COMPAT -DQT_NO_TRANSLATION -DHAVE_KNEWSTUFF  -c -o storage_test.o `test -f 'storage_test.cpp' || echo './'`storage_test.cpp
In file included from storage_test.cpp:25:
./../koStore.h:28:28: error: koffice_export.h: No such file or directory
./../koStore.h:40: error: invalid function declaration
--- snip ---
3. passes collision test
4. works

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.3 i686)
=================================================================
System uname: 2.6.18.3 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Thu, 30 Nov 2006 15:01:02 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-30 21:03:57 UTC
  01 Dec 2006; Diego Petten
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-30 21:03:57 UTC
  01 Dec 2006; Diego Pettenò <flameeyes@gentoo.org>
  -files/post-1.3-koffice-CAN-2005-3193.diff, -files/kexi-1.4.2-gcc41.patch,
  -files/krita-1.4.2-gcc41.patch, -files/kspread-1.4.2-gcc41.patch,
  -files/kexi-1.5.1-form_plugins.patch,
  -files/kexi-1.5.1-kexi_checkbox_data_saving.patch,
  -koffice-1.4.2-r6.ebuild, -koffice-1.4.2-r7.ebuild,
  -koffice-1.4.2-r8.ebuild, -koffice-1.5.1-r1.ebuild, -koffice-1.5.2.ebuild,
  -koffice-1.6.0-r1.ebuild, -koffice-1.6.0-r2.ebuild:
  Cleanup of old versions.

So there's nothing to do for us (architectures), right?
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2006-12-01 05:02:05 UTC
sparc nothin'!
call us back if there's anything to do later on.
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-01 08:40:12 UTC
un-cc'ing ppc
Comment 21 Chris Gianelloni (RETIRED) gentoo-dev 2006-12-01 11:41:28 UTC
Removing alpha/amd64/x86... feel free to add us back if we need to do anything.
Comment 22 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-01 12:54:52 UTC
looks like the not affected 1.5 branch is stable. ready for glsa
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-07 04:30:13 UTC
Diego it appears that the lastest stable version for all arches were 1.5.x at the time of filing the bug, is that correct?
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 05:32:22 UTC
jaevorsz: no, 1.4.2 and 1.4.2-r1 were stable and were only removed the 1st december
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 06:43:43 UTC
shellsage just pointed out that there were not the *latest* stable versions.

Indeed 1.5.2 has been in the stable tree for a while now..., but vulnerable 1.4.x versions remained in the stable tree until Dec 1st.
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-10 07:48:45 UTC
GLSA 200612-05
Comment 27 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 11:05:36 UTC
ia64 stable