604908 – (CVE-2016-10091) <app-text/unrtf-0.21.10: stack-based buffer overflows in cmd_* functions

Bug 604908 (CVE-2016-10091) - <app-text/unrtf-0.21.10: stack-based buffer overflows in cmd_* functions

Summary: <app-text/unrtf-0.21.10: stack-based buffer overflows in cmd_* functions

Status:	RESOLVED FIXED

Alias:	CVE-2016-10091

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugs.debian.org/cgi-bin/bugre...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-01-07 11:14 UTC by Thomas Deutschmann (RETIRED)
Modified:	2019-03-09 18:27 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=app-text/unrtf-0.21.10
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-07 11:14:14 UTC

From $URL:

A stack-based buffer overflow in unrtf 0.21.9 has been found, which affects three functions including: cmd_expand, cmd_emboss and cmd_engrave.

# convert.c

static int
cmd_expand (Word *w, int align, char has_param, int param) {
char str[10];
if (has_param) {
sprintf(str, "%d", param/4); // Overflow, 9-digit negative value triggers the bug
if (!param)
attr_pop(ATTR_EXPAND);
else
attr_push(ATTR_EXPAND, str);
}
return FALSE;
}

Apparently writing a negative integer to the buffer can trigger the overflow (Minus sign needs an extra byte).

* How to trigger the bug *

$ echo "\expnd-400000000" > poc
$ unrtf poc

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
*** buffer overflow detected ***: unrtf terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
/lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
/lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
unrtf[0x804c7b8]
unrtf[0x804f77d]
unrtf[0x804f9e7]
unrtf[0x804920b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
unrtf[0x804953c]
======= Memory map: ========
08048000-0805b000 r-xp 00000000 08:01 405354 /usr/bin/unrtf
0805b000-0805c000 r--p 00012000 08:01 405354 /usr/bin/unrtf
0805c000-0805d000 rw-p 00013000 08:01 405354 /usr/bin/unrtf
0805d000-08085000 rw-p 00000000 00:00 0
0952d000-0954e000 rw-p 00000000 00:00 0 [heap]
b75ca000-b75e6000 r-xp 00000000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e6000-b75e7000 r--p 0001b000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e7000-b75e8000 rw-p 0001c000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e8000-b7799000 r-xp 00000000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b7799000-b779b000 r--p 001b0000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b779b000-b779c000 rw-p 001b2000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b779c000-b779f000 rw-p 00000000 00:00 0
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77a6000-b77a8000 r--p 00000000 00:00 0 [vvar]
b77a8000-b77aa000 r-xp 00000000 00:00 0 [vdso]
b77aa000-b77cc000 r-xp 00000000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77cc000-b77cd000 rw-p 00000000 00:00 0
b77cd000-b77ce000 r--p 00022000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77ce000-b77cf000 rw-p 00023000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
bf992000-bf9b3000 rw-p 00000000 00:00 0 [stack]
Aborted

* Test environment *

Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
libc6 2.24-8

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-07 11:17:18 UTC

CVE-Request: http://openwall.com/lists/oss-security/2017/01/01/1

Upstream patch: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-12-04 22:26:00 UTC

@arches, please stabilize.

Comment 3 Agostino Sarubbo gentoo-dev

2018-12-05 09:38:24 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-07 02:43:27 UTC

x86 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-08 10:03:12 UTC

ia64 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-08 10:23:22 UTC

ppc stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-08 10:55:25 UTC

ppc64 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2018-12-08 12:23:19 UTC

arm stable

Comment 9 Matt Turner gentoo-dev

2018-12-23 03:19:28 UTC

alpha stable

Comment 10 Rolf Eike Beer archtester

2018-12-27 07:57:23 UTC

sparc stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-01-03 18:58:22 UTC

hppa stable

Comment 12 Yury German Gentoo Infrastructure

2019-03-09 18:27:29 UTC

Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].