From ${URL} : The attached patch prevents a buffer overflow in antiword 0.37 (http://www.winfield.demon.nl/): Program received signal SIGBUS, Bus error. 0x000000000044b55b in vName2String (szName=0x80140d58c "\"\037\202 \306!n\"n#n$n3", aucBytes=0x7fffffffde20 "\"", tNameSize=32767) at wordole.c:74 74 *pcChar = (char)aucBytes[tIndex]; (gdb) f 1 #1 0x00000000004499f2 in bGetPPS (pFile=0x800c19190, aulRootList=0x801409060, tRootListLen=4, pPPS=0x7fffffffe3b0) at wordole.c:262 262 vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize); (gdb) l - 257 atPPSlist = xfree(atPPSlist); 258 return FALSE; 259 } 260 tNameSize = (size_t)usGetWord(0x40, aucBytes); 261 tNameSize = (tNameSize + 1) / 2; 262 vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize); 263 atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes); 264 if (atPPSlist[iIndex].ucType == 5) { 265 iRootIndex = iIndex; 266 } (gdb) p sizeof(atPPSlist[iIndex].szName) $1 = 32 (gdb) p tNameSize $2 = 32767 (gdb) l vName2String 56 /* 57 * vName2String - turn the name into a proper string. 58 */ 59 static void 60 vName2String(char *szName, const UCHAR *aucBytes, size_t tNameSize) 61 { 62 char *pcChar; 63 size_t tIndex; 64 65 fail(aucBytes == NULL || szName == NULL); (gdb) l 66 67 if (tNameSize < 2) { 68 szName[0] = '\0'; 69 return; 70 } 71 for (tIndex = 0, pcChar = szName; 72 tIndex < 2 * tNameSize; 73 tIndex += 2, pcChar++) { 74 *pcChar = (char)aucBytes[tIndex]; 75 } (gdb) 76 szName[tNameSize - 1] = '\0'; 77 } /* end of vName2String */ The buffer overflow has been reported upstream and the patch was accepted, but apparently there will not be an official antiword release any time soon. The bug was found with afl-fuzz. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The ebuild antiword-0.37-r1 with the patch is in tree.
My apologies for missing out on this bug. I've been using antiword-0.37 without any problems, so I guess the committed revision should be ready to get stabilised. Thanks!
Arches, please test and mark stable: =app-text/antiword-0.37-r1 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
sparc stable
Stable on alpha.
New GLSA has been drafted and is ready for peer review.
This issue was resolved and addressed in GLSA 201502-09 at http://security.gentoo.org/glsa/glsa-201502-09.xml by GLSA coordinator Kristian Fiskerstrand (K_F).