Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 169675 - app-text/libwpd 0.8.4 heap overflow (CVE-2007-0002, 1466)
Summary: app-text/libwpd 0.8.4 heap overflow (CVE-2007-0002, 1466)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B2 [glsa] Falco
Keywords:
: 138233 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-03-06 21:09 UTC by Jonathan Smith (RETIRED)
Modified: 2007-04-06 23:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch to fix the issue (libwpd-heap-overflow.patch,2.19 KB, patch)
2007-03-06 21:12 UTC, Jonathan Smith (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Smith (RETIRED) gentoo-dev 2007-03-06 21:09:36 UTC
libwpd is vulnerable to a heap overflow which can cause a denial of service (crash) in programs using the library (such as openoffice, koffice, or abiword).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0002
https://issues.rpath.com/browse/RPL-1115

Reproducible: Always

Steps to Reproduce:
Comment 1 Jonathan Smith (RETIRED) gentoo-dev 2007-03-06 21:12:02 UTC
Created attachment 112328 [details, diff]
patch to fix the issue

two patches pulled from upstream cvs to fix the issue
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-07 15:51:21 UTC
gnome herd, please verify and provide a new ebuild
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-03-07 17:28:45 UTC
Okay, I've added 0.8.4-r1 with what I believe to be the fix; I needed an additional hunk on top of the patch above, presumably because our version was so old.  Unfortuantely, without any information about the actual vulnerability, I can't verify that this actually fixes the problem.  The CVE is restricted from me, and the rpath issue doesn't list an exploit I can test.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 22:12:42 UTC
Thanks Daniel,

hi arches, please test & mark stable app-text/libwpd-0.8.4-r1, thanks
Comment 5 Jeroen Roovers gentoo-dev 2007-03-16 01:56:57 UTC
Stable for HPPA (and many thanks to the Maryland Courts Watcher[1] for providing links to .wpd files).



[1] http://marylandcourts.blogspot.com/
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-16 08:27:49 UTC
(In reply to comment #4)
> Thanks Daniel,
> 
> hi arches, please test & mark stable app-text/libwpd-0.8.4-r1, thanks

 When doing so, please also mark stable app-text/wpd2sxw-0.7*, as the current won't build with libwpd 0.8 (goes out to ppc).
x86 stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2007-03-16 11:15:07 UTC
Sparc stable.  app-text/wpd2sxw has no sparc keyword, so nothing to do there.
Comment 8 Jonathan Smith (RETIRED) gentoo-dev 2007-03-16 14:57:09 UTC
0.8.9 has (finally!) been released upstream to fix this release - we're probably better off just bumping versions at this point
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-16 15:06:16 UTC
Smithj if you'd rather want to bump, just remove arches from CC until you commit the fixed ebuild.
Comment 10 Jonathan Smith (RETIRED) gentoo-dev 2007-03-16 15:08:32 UTC
Well, I'm not on the gnome herd - want to ensure it doesn't break anything first... input from the gnome folks?
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-16 15:26:01 UTC
Back to ebuild for now.
Comment 12 Jonathan Smith (RETIRED) gentoo-dev 2007-03-16 15:26:05 UTC
*** Bug 138233 has been marked as a duplicate of this bug. ***
Comment 13 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-03-19 16:42:36 UTC
Okay, I've bumped to 0.8.9.  I tested abiword-plugins, in addition to wpd2*, and all work fine, so no apparent regressions.
Comment 14 Hanno Böck gentoo-dev 2007-03-20 01:36:13 UTC
openoffice has vulnerable libwpd 0.8.8 bundled, so it's probably also affected?
Comment 15 Hanno Böck gentoo-dev 2007-03-20 01:41:35 UTC
libwpd-0.8.9 fails to compile for me:

ibxml2   -DNDEBUG -I../../src/lib/ -O2 -march=pentium-m -fomit-frame-pointer -pipe -MT test.o -MD -MP -MF ".deps/test.Tpo" -c -o test.o test.cpp; \
        then mv -f ".deps/test.Tpo" ".deps/test.Po"; else rm -f ".deps/test.Tpo"; exit 1; fi
test.cpp:24:32: error: cppunit/TestRunner.h: No such file or directory
test.cpp:25:32: error: cppunit/TestResult.h: No such file or directory
test.cpp:26:41: error: cppunit/TestResultCollector.h: No such file or directory
test.cpp:27:45: error: cppunit/extensions/HelperMacros.h: No such file or directory
test.cpp:28:47: error: cppunit/BriefTestProgressListener.h: No such file or directory
test.cpp:29:52: error: cppunit/extensions/TestFactoryRegistry.h: No such file or directory
test.cpp:30:39: error: cppunit/CompilerOutputter.h: No such file or directory
test.cpp:41: error: 'CPPUNIT_NS' has not been declared
test.cpp:41: error: expected `{' before 'TestFixture'
test.cpp:41: error: invalid function declaration
test.cpp:56: error: invalid use of undefined type 'class Test'
test.cpp:41: error: forward declaration of 'class Test'
test.cpp:64: error: invalid use of undefined type 'class Test'
test.cpp:41: error: forward declaration of 'class Test'
test.cpp:69: error: invalid use of undefined type 'class Test'
test.cpp:41: error: forward declaration of 'class Test'
test.cpp: In member function 'void Test::testStream()':
test.cpp:92: error: 'CPPUNIT_ASSERT_EQUAL' was not declared in this scope
test.cpp:97: error: 'CPPUNIT_ASSERT' was not declared in this scope
test.cpp:139: error: expected primary-expression before ')' token
test.cpp:139: error: 'CPPUNIT_ASSERT_THROW' was not declared in this scope
test.cpp:208: error: expected primary-expression before ')' token
test.cpp: At global scope:
test.cpp:225: error: expected constructor, destructor, or type conversion before ';' token
test.cpp: In function 'int main(int, char**)':
test.cpp:230: error: 'CPPUNIT_NS' has not been declared
test.cpp:230: error: expected `;' before 'controller'
test.cpp:233: error: 'CPPUNIT_NS' has not been declared
test.cpp:233: error: expected `;' before 'result'
test.cpp:234: error: 'controller' was not declared in this scope
test.cpp:234: error: 'result' was not declared in this scope
test.cpp:237: error: 'CPPUNIT_NS' has not been declared
test.cpp:237: error: expected `;' before 'progress'
test.cpp:238: error: 'progress' was not declared in this scope
test.cpp:241: error: 'CPPUNIT_NS' has not been declared
test.cpp:241: error: expected `;' before 'runner'
test.cpp:242: error: 'runner' was not declared in this scope
test.cpp:242: error: 'CPPUNIT_NS' has not been declared
test.cpp:246: error: 'CPPUNIT_NS' has not been declared
test.cpp:246: error: expected `;' before 'outputter'
test.cpp:247: error: 'outputter' was not declared in this scope
make[1]: *** [test.o] Error 1
make[1]: Leaving directory `/var/tmp/paludis/app-text/libwpd-0.8.9/work/libwpd-0.8.9/src/test'
make: *** [check] Error 2
Comment 16 Jonathan Smith (RETIRED) gentoo-dev 2007-03-20 02:51:31 UTC
(In reply to comment #14)
> openoffice has vulnerable libwpd 0.8.8 bundled, so it's probably also affected?
> 

Yes. In fact, the first public mention of this was a Novell security announce of OOo (they apparently broke embargo).
Comment 17 Andreas Proschofsky (RETIRED) gentoo-dev 2007-03-20 02:54:38 UTC
(In reply to comment #14)
> openoffice has vulnerable libwpd 0.8.8 bundled, so it's probably also affected?
> 

Yes, but this is already part of another bug (and handled there):

https://bugs.gentoo.org/show_bug.cgi?id=170828
Comment 18 Jonathan Smith (RETIRED) gentoo-dev 2007-03-20 02:59:38 UTC
(In reply to comment #17)
> Yes, but this is already part of another bug (and handled there):
> 
> https://bugs.gentoo.org/show_bug.cgi?id=170828

That bug is not public, even though the security issue is (ref the novell advisory), so it was hard to tell for those of us without special access :-)

Perhaps its time to open that one up too?
Comment 19 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-03-20 15:46:08 UTC
hanno: Apparently, cppunit is needed for FEATURES=test.  Since cppunit doesn't have enough keywords, I've masked FEATURES=test for now, even though the unit tests pass here.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-25 07:21:55 UTC
Finally calling arches.

Please test and mark stable. Target keywords are:

libwpd-0.8.9.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ~ppc-macos ppc64 sparc x86 ~x86-fbsd"
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2007-03-25 09:25:29 UTC
ppc64 stable
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-25 10:31:45 UTC
ppc stable
Comment 23 Markus Meier gentoo-dev 2007-03-25 11:33:07 UTC
app-text/libwpd-0.8.9  USE="doc"
1. emerges on x86
2. passes collision test
3. app-text/wpd2sxw-0.7.1 emerges with it

Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.5 i686)
=================================================================
System uname: 2.6.19.5 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 25 Mar 2007 09:30:01 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 24 Andrej Kacian (RETIRED) gentoo-dev 2007-03-25 12:01:30 UTC
x86 done
Comment 25 Jeroen Roovers gentoo-dev 2007-03-26 03:07:10 UTC
Stable for HPPA (0.8.9 this time).
Comment 26 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-26 13:35:56 UTC
sparc stable.
Comment 27 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-03-26 20:07:30 UTC
amd64 done.
Comment 28 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-27 12:23:16 UTC
alpha stable
Comment 29 Chris Gianelloni (RETIRED) gentoo-dev 2007-03-27 15:34:02 UTC
ia64 done...
Comment 30 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-28 06:12:17 UTC
Thx everyone. This one is ready for GLSA decision. I vote NO.
Comment 31 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-02 19:14:34 UTC
I tend to vote yes
Comment 32 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-02 22:18:52 UTC
as for me its a B2 so I vovte Yes and i'm filing a GLSA request at the same time.
Comment 33 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-03 05:27:45 UTC
You're correct Falco.
Comment 34 Matt Drew (RETIRED) gentoo-dev 2007-04-03 12:31:30 UTC
adding CVE-2007-1466
Comment 35 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-06 23:29:02 UTC
GLSA 200704-07, thanks everybody