CESA-2005-005 - rev 1 KWord RTF import heap corruption ================================ Programs affected: KWord Severity: Possible arbitrary code execution. Discovered date: Forgotten Vendor notified date: Sep 22nd 2005 Demo RTF: http://scary.beasts.org/misc/out27.rtf (Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2) rpm -q koffice-kword koffice-kword-1.4.1-4.fc4 Resultant stack trace: (gdb) bt #0 0x06d0706c in _int_malloc () from /lib/libc.so.6 #1 0x06d08492 in malloc () from /lib/libc.so.6 #2 0x06aaef56 in operator new () from /usr/lib/libstdc++.so.6 #3 0x06aaf06d in operator new[] () from /usr/lib/libstdc++.so.6 #4 0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 #5 0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 #6 0x012d8143 in QString::operator+= () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 #7 0x007466f9 in RTFImport::convert () from /usr/lib/kde3/librtfimport.so CESA-2005-005 - rev 1 Chris Evans scarybeasts@gmail.com
*** This bug has been marked as a duplicate of 108411 ***
CC'ing maintainer/arch security liaisons on this one to see the PoC. Do not redistribute.
Adding up weeve wrt bug #108411.