From ${URL} : "catdoc" is a command line tool for extracting readable text from Microsoft office documents. It is used by the command "less" when opening a .doc file, and if it's not installed, less will ask you to install it. It's also listed as a forensics tool on certain websites. Catdoc has bugs. The attached* word documents were generated with American Fuzzy Lop. The first attached tarball contains 35 somewhat analyzed sample crashes. I've also included the raw crash samples with 27 additional crashes that were generated between the initial disclosure time and right now. AFL identified them as unique issues (presumably different code paths) though the offending code seems to be in the following places: substmap.c:151 (crash) numutils.c:22 (some crash, some trigger ASAN) ole.c:108 (ASAN) ole.c:315 (ASAN) The ASAN crashes indicate memory corruptions, but there are some solid segfaults in substmap.c and numultils.c. The crashes seem to be read violations, so non-trivial to exploit, and since DoS and memory disclosures aren't super interesting for document parers, it's unlikely that any of these deserve a CVE. There are likely more bugs, and catdoc also includes a ppt parser and an xls parser. * The attachments were too big (>200k), so I made this website instead : https://catdocbugs.neocities.org/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From http://www.wagner.pp.ru/gitweb/?p=oss/catdoc.git;a=log;h=refs/tags/REL_0_95 seems like the author has made some bug fixes, but they are not documented, maybe the bugs are already fixed. References: http://www.wagner.pp.ru/gitweb/?p=oss/catdoc.git;a=summary http://www.wagner.pp.ru/~vitus/software/catdoc/
All files from https://catdocbugs.neocities.org/catdoc-crashes.tar.bz2 can be processed with catdoc-0.95 without any crashes: > $ find . -name '*.doc' -exec catdoc "{}" >/dev/null \; > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > [File is encrypted. Encryption key = 00000000] > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE file. Try using -b switch > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch > Broken OLE structure. Cannot find root entry in this file! > Broken OLE file. Try using -b switch Whereas catdoc-0.94 showed the reported crashes: > $ find . -name '*.doc' -exec catdoc "{}" >/dev/null \; > find: ‘catdoc’ terminated by signal 11 > find: ‘catdoc’ terminated by signal 11 > find: ‘catdoc’ terminated by signal 11 > find: ‘catdoc’ terminated by signal 9 > double free or corruption (out) > find: ‘catdoc’ terminated by signal 6 > catdoc: malloc.c:2406: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. > find: ‘catdoc’ terminated by signal 6 > catdoc: malloc.c:2406: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. > find: ‘catdoc’ terminated by signal 6 > [File is encrypted. Encryption key = 00000000] > find: ‘catdoc’ terminated by signal 11 > find: ‘catdoc’ terminated by signal 11 > munmap_chunk(): invalid pointer > find: ‘catdoc’ terminated by signal 6 > find: ‘catdoc’ terminated by signal 11 > find: ‘catdoc’ terminated by signal 9 > catdoc: malloc.c:2406: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed. > find: ‘catdoc’ terminated by signal 6 > ^C > GLSA vote: No! All done, repository is clean.
