Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106898 - app-office/{koffice|kword} RTF import import heap corruption (vendor-sec) (CAN-2005-2971)
Summary: app-office/{koffice|kword} RTF import import heap corruption (vendor-sec) (C...
Status: RESOLVED DUPLICATE of bug 108411
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [upstream] CLASSIFIED?
Depends on:
Reported: 2005-09-22 09:53 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-08-16 18:37 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-22 09:53:13 UTC
CESA-2005-005 - rev 1 
KWord RTF import heap corruption 
Programs affected: KWord 
Severity: Possible arbitrary code execution. 
Discovered date: Forgotten 
Vendor notified date: Sep 22nd 2005 
Demo RTF: 
(Simple RTF fuzz test suite at 
rpm -q koffice-kword 
Resultant stack trace: 
(gdb) bt 
#0  0x06d0706c in _int_malloc () from /lib/ 
#1  0x06d08492 in malloc () from /lib/ 
#2  0x06aaef56 in operator new () from /usr/lib/ 
#3  0x06aaf06d in operator new[] () from /usr/lib/ 
#4  0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/ 
#5  0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/ 
#6  0x012d8143 in QString::operator+= () 
from /usr/lib/qt-3.3/lib/ 
#7  0x007466f9 in RTFImport::convert () from /usr/lib/kde3/ 
CESA-2005-005 - rev 1 
Chris Evans
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-07 11:39:13 UTC

*** This bug has been marked as a duplicate of 108411 ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 22:25:20 UTC
CC'ing maintainer/arch security liaisons on this one to see the PoC. Do not 
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-10 19:40:12 UTC
Adding up weeve wrt bug #108411.