Debian Bug report logs - #684078
calligra: Buffer overflow

version graph

Package: wv2; Maintainer for wv2 is Olly Betts <olly@survex.com>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 6 Aug 2012 08:33:01 UTC

Severity: grave

Tags: patch, upstream

Fixed in version wv2/0.4.2.dfsg.1-9.1

Done: gregor herrmann <gregoa@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#684004; Package calligra. (Mon, 06 Aug 2012 08:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 06 Aug 2012 08:33:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: calligra: Buffer overflow
Date: Mon, 06 Aug 2012 10:28:51 +0200
Package: calligra
Severity: grave
Tags: security
Justification: user security hole

Please see:
https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b

Reported here:
http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf (page 39ff)

There's no CVE ID yet.

Cheers,
        Moritz

Added tag(s) upstream, pending, and fixed-upstream. Request was from Pino Toscano <pino@debian.org> to control@bugs.debian.org. (Mon, 06 Aug 2012 09:27:07 GMT) (full text, mbox, link).

Bug 684004 cloned as bug 684078 Request was from Scott Kitterman <scott@kitterman.com> to control@bugs.debian.org. (Mon, 06 Aug 2012 19:09:13 GMT) (full text, mbox, link).

Bug reassigned from package 'calligra' to 'wv2'. Request was from Scott Kitterman <scott@kitterman.com> to control@bugs.debian.org. (Mon, 06 Aug 2012 19:09:14 GMT) (full text, mbox, link).

Removed tag(s) security, fixed-upstream, and pending. Request was from Scott Kitterman <scott@kitterman.com> to control@bugs.debian.org. (Mon, 06 Aug 2012 19:18:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Olly Betts <olly@survex.com>:
Bug#684078; Package wv2. (Mon, 06 Aug 2012 19:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Scott Kitterman <debian@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Olly Betts <olly@survex.com>. (Mon, 06 Aug 2012 19:21:03 GMT) (full text, mbox, link).

Message #18 received at 684078@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <debian@kitterman.com>
To: 684078@bugs.debian.org
Subject: Calligra fix doesn't work for wv2
Date: Mon, 06 Aug 2012 15:18:07 -0400
[Message part 1 (text/plain, inline)]
I tried applying the patch calligra used to wv2 and it failed to build:

[ 47%] Building CXX object src/CMakeFiles/wv2.dir/styles.cpp.o
cd /tmp/buildd/wv2-0.4.2.dfsg.1/obj-i486-linux-gnu/src && /usr/lib/ccache/c++   
-Dwv2_EXPORTS -DHAVE_CONFIG_H -g -O2 -fstack-protector --param=ssp-buffer-
size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -DNDEBUG -fPIC -
I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include -
I/usr/include/libgsf-1 -I/tmp/buildd/wv2-0.4.2.dfsg.1/src -
I/tmp/buildd/wv2-0.4.2.dfsg.1/obj-i486-linux-gnu    -o 
CMakeFiles/wv2.dir/styles.cpp.o -c /tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:242:2: warning: #warning "Couldn't 
generate writing code for STD::xstzName" [-Wcpp]
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:246:2: warning: #warning "Couldn't 
generate writing code for STD::grupx" [-Wcpp]
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp: In member function 'void 
wvWare::Word97::STD::readStyleName(wvWare::U16, wvWare::OLEStreamReader*)':
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:281:13: error: 'offset' was not 
declared in this scope
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:281:22: error: 'cbUPX' was not 
declared in this scope
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:282:62: error: 'endl' was not 
declared in this scope
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:282:62: note: suggested 
alternative:
In file included from /usr/include/c++/4.7/iostream:40:0,
                 from /tmp/buildd/wv2-0.4.2.dfsg.1/src/wvlog.h:22,
                 from /tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:25:
/usr/include/c++/4.7/ostream:562:5: note:   'std::endl'
/tmp/buildd/wv2-0.4.2.dfsg.1/src/styles.cpp:283:20: error: return-statement 
with a value, in function returning 'void' [-fpermissive]
make[3]: *** [src/CMakeFiles/wv2.dir/styles.cpp.o] Error 1
make[3]: Leaving directory `/tmp/buildd/wv2-0.4.2.dfsg.1/obj-i486-linux-gnu'
make[2]: *** [src/CMakeFiles/wv2.dir/all] Error 2
make[2]: Leaving directory `/tmp/buildd/wv2-0.4.2.dfsg.1/obj-i486-linux-gnu'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/tmp/buildd/wv2-0.4.2.dfsg.1/obj-i486-linux-gnu'
dh_auto_build: make -j1 returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Since the only wv2 user in the archive is (AFAICT) Calligra, it has a 
substantially developed fork, and it looks like the original wv2 upstream is 
dead (last release in 2009), perhaps it's better just to remove it.

Scott K
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Olly Betts <olly@survex.com>:
Bug#684078; Package wv2. (Sun, 26 Aug 2012 13:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Olly Betts <olly@survex.com>. (Sun, 26 Aug 2012 13:33:03 GMT) (full text, mbox, link).

Message #23 received at 684078@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 684078@bugs.debian.org
Subject: wv2: diff for NMU version 0.4.2.dfsg.1-9.1
Date: Sun, 26 Aug 2012 15:30:15 +0200
[Message part 1 (text/plain, inline)]
tags 684078 + patch
tags 684078 + pending
thanks

Dear maintainer,

I've prepared an NMU for wv2 (versioned as 0.4.2.dfsg.1-9.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Willi Resetarits + Stubnblues: alanech fia dii

[wv2-0.4.2.dfsg.1-9.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from gregor herrmann <gregoa@debian.org> to control@bugs.debian.org. (Sun, 26 Aug 2012 13:33:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from gregor herrmann <gregoa@debian.org> to control@bugs.debian.org. (Sun, 26 Aug 2012 13:33:05 GMT) (full text, mbox, link).

Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Tue, 28 Aug 2012 13:51:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 28 Aug 2012 13:51:03 GMT) (full text, mbox, link).

Message #32 received at 684078-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 684078-close@bugs.debian.org
Subject: Bug#684078: fixed in wv2 0.4.2.dfsg.1-9.1
Date: Tue, 28 Aug 2012 13:47:40 +0000
Source: wv2
Source-Version: 0.4.2.dfsg.1-9.1

We believe that the bug you reported is fixed in the latest version of
wv2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684078@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated wv2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 26 Aug 2012 15:20:51 +0200
Source: wv2
Binary: libwv2-4 libwv2-dev
Architecture: source amd64
Version: 0.4.2.dfsg.1-9.1
Distribution: unstable
Urgency: low
Maintainer: Olly Betts <olly@survex.com>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libwv2-4   - library for accessing Microsoft Word documents
 libwv2-dev - development files for Microsoft Word access library
Closes: 684078
Changes: 
 wv2 (0.4.2.dfsg.1-9.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * [SECURITY] Fix "Buffer overflow":
     add patch buffer-overflow.patch, taken from calligra git.
     (Closes: #684078)
Checksums-Sha1: 
 eeb2019e3c8ee7bdefefdcda54b25bc870b773cc 1862 wv2_0.4.2.dfsg.1-9.1.dsc
 16450a48089ca332e8fbd049c638927e15173f1b 13128 wv2_0.4.2.dfsg.1-9.1.debian.tar.gz
 d9d0bd695e922777cfcd87f608845444fa31b98e 268270 libwv2-4_0.4.2.dfsg.1-9.1_amd64.deb
 09506b457292a7beead5e9a01cf14d2cbbddd23b 102774 libwv2-dev_0.4.2.dfsg.1-9.1_amd64.deb
Checksums-Sha256: 
 7a6a82230adc21c7f30287c8b4126c05e89c69c38e9beebacd44c201db14c701 1862 wv2_0.4.2.dfsg.1-9.1.dsc
 483496f881d25b1558507d07ca2e3814916e405be51c00e0f645a15b9283eb80 13128 wv2_0.4.2.dfsg.1-9.1.debian.tar.gz
 82f52b8e9f095a7049aebd0d7f109fd7f57fe81d2382823430ee58bfbb985067 268270 libwv2-4_0.4.2.dfsg.1-9.1_amd64.deb
 ea037b73c6be9021660c64df0da90446f7be7f66405b0d4fe47782fdf22187bc 102774 libwv2-dev_0.4.2.dfsg.1-9.1_amd64.deb
Files: 
 0e0b54e1010af941f1d468964926675b 1862 libs optional wv2_0.4.2.dfsg.1-9.1.dsc
 be77e63cfff235a9ce8b975ce4be45c7 13128 libs optional wv2_0.4.2.dfsg.1-9.1.debian.tar.gz
 ad8f159528b66f526b9a69dfac6cf881 268270 libs optional libwv2-4_0.4.2.dfsg.1-9.1_amd64.deb
 c11de79cbfeab328056fc2e167290d97 102774 libdevel optional libwv2-dev_0.4.2.dfsg.1-9.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQOiReAAoJELs6aAGGSaoGyDwP/RzbuNJjkNMtWqGKEDX2Pixi
L00WMVvSLKjv/2qFiP3dRrTqDHU95rgzIVMuH9U9gNA2FXB6icyBNMTbPnhFRkUW
DFfz866Ct/ixsDtrclEKY4vVZCpRKbHDeHUXwvmtQzOFosGhMwEhBs6ezcuTBgmk
X2EMylytUuazKDuddD5Tl4PGmBO/PxM474rHVwJ+uYIR7LE30SANyJChewSxaJqg
xqjgHZt6GTpm7P6y1AAbFIQNbwfQu2nTxW+qaqP8kPYMDOGOQn3FUS3rKcdzhc6u
zDkfEQIYDGA6wqdOZc3YLETbTHTc+95BHFKLgeHHerEVwJSv3uHjnedhoRXK0WAb
wMF4TEyJjvDr9m3phDjwpz9BWoNDXnu5P0CIyyofMpnlYBtQh8GkgT9kXKh3L8Du
+cSvNA0zBNywjOHYJ1y5QfQGWGf2Co8cqFvnR0dcVdHU8pfuMt8NTMfbD4ipA5oG
g+4Ogt3QlnKT1I37Uzj9LWfmbMRGLZYsETuMTVt3j5GFiy3XVZBYuLKCUW6N122+
HEp2Kee0NbAqBxKEiPfdjAxCkEXf0veo0agKOx0gx5KCLsnPac/ugNYmskRZHXNc
5/g2CTTd4dlo70zbbd8LUcJZY/yp7B1nbbwwPpGr4xmI6y+d+b9r/cjLUXSBu4GR
R/KJ2COMz1+ErN5k3LpL
=QEey
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:19:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 13 05:46:33 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.