Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531404 (CVE-2014-8123) - <app-text/antiword-0.37-r1: buffer overflow (CVE-2014-8123)
Summary: <app-text/antiword-0.37-r1: buffer overflow (CVE-2014-8123)
Status: RESOLVED FIXED
Alias: CVE-2014-8123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-02 08:25 UTC by Agostino Sarubbo
Modified: 2015-02-07 20:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-02 08:25:35 UTC
From ${URL} :

The attached patch prevents a buffer overflow in antiword 0.37
(http://www.winfield.demon.nl/):

Program received signal SIGBUS, Bus error.
0x000000000044b55b in vName2String (szName=0x80140d58c "\"\037\202 \306!n\"n#n$n3", aucBytes=0x7fffffffde20 "\"", tNameSize=32767) at wordole.c:74
74			*pcChar = (char)aucBytes[tIndex];
(gdb) f 1
#1  0x00000000004499f2 in bGetPPS (pFile=0x800c19190, aulRootList=0x801409060, tRootListLen=4, pPPS=0x7fffffffe3b0) at wordole.c:262
262			vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
(gdb) l -
257				atPPSlist = xfree(atPPSlist);
258				return FALSE;
259			}
260			tNameSize = (size_t)usGetWord(0x40, aucBytes);
261			tNameSize = (tNameSize + 1) / 2;
262			vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
263			atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
264			if (atPPSlist[iIndex].ucType == 5) {
265				iRootIndex = iIndex;
266			}
(gdb) p sizeof(atPPSlist[iIndex].szName)
$1 = 32
(gdb) p tNameSize
$2 = 32767
(gdb) l vName2String
56	/*
57	 * vName2String - turn the name into a proper string.
58	 */
59	static void
60	vName2String(char *szName, const UCHAR *aucBytes, size_t tNameSize)
61	{
62		char	*pcChar;
63		size_t	tIndex;
64	
65		fail(aucBytes == NULL || szName == NULL);
(gdb) l
66	
67		if (tNameSize < 2) {
68			szName[0] = '\0';
69			return;
70		}
71		for (tIndex = 0, pcChar = szName;
72		     tIndex < 2 * tNameSize;
73		     tIndex += 2, pcChar++) {
74			*pcChar = (char)aucBytes[tIndex];
75		}
(gdb) 
76		szName[tNameSize - 1] = '\0';
77	} /* end of vName2String */

The buffer overflow has been reported upstream and the patch was accepted,
but apparently there will not be an official antiword release any time soon.

The bug was found with afl-fuzz.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 LABBE Corentin 2014-12-23 07:55:03 UTC
The ebuild antiword-0.37-r1 with the patch is in tree.
Comment 2 Fabian Groffen gentoo-dev 2014-12-23 08:13:40 UTC
My apologies for missing out on this bug.  I've been using antiword-0.37 without any problems, so I guess the committed revision should be ready to get stabilised.  Thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-23 08:40:33 UTC
Arches, please test and mark stable:
=app-text/antiword-0.37-r1
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-23 09:03:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-23 09:04:39 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-12-24 14:37:51 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:56 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-26 09:19:41 UTC
sparc stable
Comment 9 Tobias Klausmann gentoo-dev 2015-01-09 14:17:49 UTC
Stable on alpha.
Comment 10 Sean Amoss gentoo-dev Security 2015-01-11 21:52:26 UTC
New GLSA has been drafted and is ready for peer review.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 20:50:21 UTC
This issue was resolved and addressed in
 GLSA 201502-09 at http://security.gentoo.org/glsa/glsa-201502-09.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).