106896 – app-office/abiword RTF import stack-based buffer overflow (vendor-sec)

Bug 106896 - app-office/abiword RTF import stack-based buffer overflow (vendor-sec)

Summary: app-office/abiword RTF import stack-based buffer overflow (vendor-sec)

Status:	RESOLVED DUPLICATE of bug 107351

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [upstream] CLASSIFIED?
Keywords:

Depends on:
Blocks:

Reported:	2005-09-22 09:24 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2007-08-16 18:37 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-22 09:24:23 UTC

CESA-2005-004 - rev 1 
 
Abiword RTF import stack-based buffer overflow 
============================================== 
 
Programs affected: Abiword, possibly unpatched MacOSX, others? 
Severity: Arbitrary code execution. 
Discovered date: Forgotten 
Vendor notified date: Sep 22nd 2005 
 
Demo RTF: http://scary.beasts.org/misc/out153.rtf 
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2) 
 
rpm -q abiword 
abiword-2.2.9-2.fc4 
 
Resultant stack trace includes 0x41414141 (AAAA) on the stack: 
 
(gdb) bt 
#0  0x00fea976 in fread () from /lib/libc.so.6 
#1  0x081d1d3d in IE_Imp_RTF::ReadCharFromFileWithCRLF () 
#2  0x081d1da4 in IE_Imp_RTF::ReadCharFromFile () 
#3  0x081dd106 in IE_Imp_RTF::ReadOneFontFromTable () 
#4  0x41414141 in ?? () 
 
CESA-2005-004 - rev 1 
Chris Evans 
scarybeasts@gmail.com

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-27 00:13:55 UTC

Now public on bug #107351 

*** This bug has been marked as a duplicate of 107351 ***