Debian Bug report logs - #287038
CAN-2004-1297 process_font_table overflows name buffer

version graph

Package: unrtf; Maintainer for unrtf is Willi Mann <willi@debian.org>; Source for unrtf is src:unrtf.

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 23 Dec 2004 20:33:02 UTC

Severity: grave

Tags: security, woody

Found in version 0.19.3-1

Fixed in version unrtf/0.19.3-1.1

Done: Nathanael Nerode <neroden@twcny.rr.com>

Bug is archived. No further changes may be made.

Forwarded to marcossamaral@terra.com.br, daved@physiol.usyd.edu.au

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package unrtf. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Christian Surchi <csurchi@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2004-1297 process_font_table overflows name buffer
Date: Thu, 23 Dec 2004 15:20:46 -0500
[Message part 1 (text/plain, inline)]
Package: unrtf
Version: 0.19.3-1
Severity: grave
Tags: security

According to http://tigger.uic.edu/~jlongs2/holes/unrtf.txt:
In convert.c, process_font_table() uses an unprotected
strcat() to copy any number of bytes into a 255-byte name array.

Verified in our package, although the attachment is not present at the
above url. A fix should be as simple as using strncat.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages unrtf depends on:
ii  libc6                       2.3.2.ds1-19 GNU C Library: Shared libraries an

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package unrtf. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Surchi <csurchi@debian.org>. Full text and rfc822 format available.

Message #10 received at 287038@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 287038@bugs.debian.org
Subject: NMU diff(s)
Date: Sat, 25 Dec 2004 21:10:27 -0500
[Message part 1 (text/plain, inline)]
I've NMUed unrtf with an attempted fix for this security hole. I
actually attach two diffs.

unrtf.patch is how I tried to fix it first. Oddly, with that patch unrtf
will still segfault when converting a file such as the sample exploit
81.rdf (also attached for convenience). Actually, it begins to crash on
almost any input file. Weirder yet, gdb shows that strlen(tmp) is
crashing, though tmp is 0x0. There also seems to be some line
reordering/splitting that may be confusing gdb. Even if it's built -O0.

So I then tried the alternate, more expensive approach in
unrtf-final.patch, which works fine.

I think I've said before that I don't trust unrtf's code much, it seems
to do weird things often when gdb'd. Due to the above, untrust++ ...

-- 
see shy jo
[unrtf.patch (text/plain, attachment)]
[unrtf-final.patch (text/plain, attachment)]
[81.rtf (application/rtf, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package unrtf. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Christian Surchi <csurchi@debian.org>. Full text and rfc822 format available.

Message #17 received at 287038@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 287038@bugs.debian.org
Cc: control@bugs.debian.org, <joey@kitenet.net>
Subject: Woody most likely affected as well
Date: Fri, 14 Jan 2005 14:44:35 +0100
[Message part 1 (text/plain, inline)]
reopen 287038
tags 287038 = security, woody
thanks

I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.

If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.

Thanks

      Helge

-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package unrtf. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Christian Surchi <csurchi@debian.org>. Full text and rfc822 format available.

Message #22 received at 287038@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 287038@bugs.debian.org
Cc: control@bugs.debian.org, <joey@kitenet.net>
Subject: Woody most likely affected as well
Date: Fri, 14 Jan 2005 18:07:16 +0100
reopen 287038
tags 287038 = security, woody
thanks

I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.

If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.

Thanks

      Helge

-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/



Tags set to: security, woody Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: security, woody Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Christian Surchi <csurchi@debian.org>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #29 received at 287038-forwarded@bugs.debian.org (full text, mbox):

From: Christian Surchi <csurchi@debian.org>
To: marcossamaral@terra.com.br, daved@physiol.usyd.edu.au
Cc: 287038-forwarded@bugs.debian.org
Subject: [Fwd: Bug#287038: Woody most likely affected as well]
Date: Mon, 28 Mar 2005 17:30:19 +0200
------- Messaggio inoltrato -------
Da: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Rispondi-a: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>,
287038@bugs.debian.org
A: 287038@bugs.debian.org
Cc: control@bugs.debian.org, joey@kitenet.net
Oggetto: Bug#287038: Woody most likely affected as well
Data: Fri, 14 Jan 2005 18:07:16 +0100

reopen 287038
tags 287038 = security, woody
thanks

I just ran a diff on the woody and the Sid version of convert.c as
mentioned in http://tigger.uic.edu/~jlongs2/holes/unrtf.txt
and the relevant routine does not differ. So I assume that unrtf is
vulnerable in woody as well.

If this indeed should not be the case, please add CAN-2004-1297 to
http://www.debian.org/security/nonvulns-woody before closing.

Thanks

      Helge





Information forwarded to debian-bugs-dist@lists.debian.org, Christian Surchi <csurchi@debian.org>:
Bug#287038; Package unrtf. Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Surchi <csurchi@debian.org>. Full text and rfc822 format available.

Message #34 received at 287038@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: Christian Surchi <csurchi@debian.org>, 287038@bugs.debian.org
Subject: Any progress regarding DSA for unrtf (CAN-2004-1297)
Date: Wed, 20 Apr 2005 19:57:32 +0200
Hello Christian

You have an open grave/security bug that has had no visible progress
since some weeks now. Are there any open problems where help is needed?

(in fact you did not even acknowledge Joey Hess' NMU are you maybe no
active maintainer any more?)

bye,

-christian-



Bug marked as fixed in version 0.19.3-1.1, send any further explanations to Joey Hess <joeyh@debian.org> Request was from Nathanael Nerode <neroden@twcny.rr.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 06:38:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:34:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.