Debian Bug report logs - #692076
catdoc: Extra ';' turns for loop into a buffer overflow

version graph

Package: catdoc; Maintainer for catdoc is Nick Bane <nick@enomem.co.uk>; Source for catdoc is src:catdoc.

Reported by: Olly Betts <olly@survex.com>

Date: Thu, 1 Nov 2012 23:15:02 UTC

Severity: serious

Tags: patch, security

Found in version catdoc/0.94.3-1

Fixed in version catdoc/0.94.4-1.1

Done: Neil Williams <codehelp@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Thu, 01 Nov 2012 23:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olly Betts <olly@survex.com>:
New Bug report received and forwarded. Copy sent to Nick Bane <nick@enomem.co.uk>. (Thu, 01 Nov 2012 23:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Olly Betts <olly@survex.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: catdoc: Extra ';' turns for loop into a buffer overflow
Date: Fri, 2 Nov 2012 12:10:54 +1300
Package: catdoc
Version: 0.94.3-1
Severity: serious
Tags: patch, security

src/xlsparse.c contains:

        for (i=0;i<NUMOFDATEFORMATS; i++);
        FormatIdxUsed[i]=0;

The ';' at the end of the first line shouldn't be there.  It results in the
code doing the same as:

	i = NUMOFDATEFORMATS;
        FormatIdxUsed[i]=0;

And FormatIdxUsed has NUMOFDATEFORMATS elements, which start from 0 so
FormatIdxUsed[NUMOFDATEFORMATS] is writing off the end of the buffer.
That's undefined behaviour in C and a security issue, though whether it's
usefully exploitable in the current binary packages depends what happens
to be put in memory after it.  But an obvious use case for catdoc is viewing
attachments you get sent or files you download, so it seems wise to assume
this could be exploited unless proved otherwise, so I've tagged this
"security" and set the severity to "serious".

Patch attached.  I'm happy to NMU a fix (at least assuming I can work
around #692073), so let me know if you'd like me to.

Cheers,
    Olly

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages catdoc depends on:
ii  libc6  2.13-35

catdoc recommends no packages.

Versions of packages catdoc suggests:
ii  tk            8.5.0-2
ii  tk8.4 [wish]  8.4.19-5
ii  tk8.5 [wish]  8.5.11-2

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Fri, 02 Nov 2012 23:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olly Betts <olly@survex.com>:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Fri, 02 Nov 2012 23:27:07 GMT) Full text and rfc822 format available.

Message #10 received at 692076@bugs.debian.org (full text, mbox):

From: Olly Betts <olly@survex.com>
To: Debian Bug Tracking System <692076@bugs.debian.org>
Subject: Re: catdoc: Extra ';' turns for loop into a buffer overflow
Date: Sat, 3 Nov 2012 11:58:21 +1300
[Message part 1 (text/plain, inline)]
On Fri, Nov 02, 2012 at 12:10:54PM +1300, Olly Betts wrote:
> Patch attached.  I'm happy to NMU a fix (at least assuming I can work
> around #692073), so let me know if you'd like me to.

And again I failed to attach it.  Here it is.

Cheers,
    Olly
[catdoc-bad-for-loop.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Thu, 08 Nov 2012 00:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olly Betts <olly@survex.com>:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Thu, 08 Nov 2012 00:00:04 GMT) Full text and rfc822 format available.

Message #15 received at 692076@bugs.debian.org (full text, mbox):

From: Olly Betts <olly@survex.com>
To: Stefan Cornelius <scorneli@redhat.com>
Cc: 692076@bugs.debian.org
Subject: Re: Heads-Up: catdoc patch accidentally reversed?
Date: Wed, 7 Nov 2012 23:28:50 +0000
On Wed, Nov 07, 2012 at 11:23:21AM +0100, Stefan Cornelius wrote:
> It looks to me like the patch provided by you in [1] to fix Debian bug
> #692076 [2] is reversed. I'm not sure if that's by intention or not,
> so I thought I'd just give you a quick heads-up.

Thanks - catdoc-bad-for-loop.patch is indeed accidentally reversed -
just a slip on my part in generating the patch, but it's probably worth
explicitly pointing out on the ticket in case people look quickly and
think they have the fix applied already (so cc-ing).

(Also noted by Nick Bane).

Cheers,
    Olly



Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Sat, 10 Nov 2012 13:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to kartik@debian.org:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Sat, 10 Nov 2012 13:21:09 GMT) Full text and rfc822 format available.

Message #20 received at 692076@bugs.debian.org (full text, mbox):

From: Kartik Mistry <kartik@debian.org>
To: 692076@bugs.debian.org
Subject: Needs sponsor?
Date: Sat, 10 Nov 2012 18:46:50 +0530
Hi Nick,

Do let me know if you need sponsor for this bug fix upload.

Thanks!

-- 
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com



Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Fri, 16 Nov 2012 23:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Fri, 16 Nov 2012 23:21:10 GMT) Full text and rfc822 format available.

Message #25 received at 692076@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 692076@bugs.debian.org
Subject: apologies for delay
Date: Fri, 16 Nov 2012 23:18:28 +0000
[Message part 1 (text/plain, inline)]
I'll be looking into this bug this weekend. I'm not sure about the
severity at this stage - need to see how CleanUpFormatIdxUsed is
actually used.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Sun, 18 Nov 2012 20:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Sun, 18 Nov 2012 20:18:05 GMT) Full text and rfc822 format available.

Message #30 received at 692076@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 692076@bugs.debian.org
Cc: 692073-quiet@bugs.debian.org, 692076-submitter@bugs.debian.org
Subject: Re: apologies for delay
Date: Sun, 18 Nov 2012 20:15:37 +0000
[Message part 1 (text/plain, inline)]
On Fri, 16 Nov 2012 23:18:28 +0000
Neil Williams <codehelp@debian.org> wrote:

> I'll be looking into this bug this weekend. I'm not sure about the
> severity at this stage - need to see how CleanUpFormatIdxUsed is
> actually used.

I'm checking with the release team about my preferred solution of
preparing a new upstream release of 0.94.4 which fixes #692073 and
includes the fix for #692076 in the same release - with no other
changes. I'll sort out a branch to make this change and sponsor Nick to
do the upload.

http://lists.debian.org/debian-release/2012/11/msg00712.html

We do have other pending changes, including a proper fix for the build
system (cmake), which will push to 0.95.0 after Wheezy, including all
the patches currently in SVN, with a backport.

Once I get a response from the release team, I'll sort out the versions
in the current SVN changelog to match.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Message sent on to Olly Betts <olly@survex.com>:
Bug#692076. (Sun, 18 Nov 2012 20:18:15 GMT) Full text and rfc822 format available.

Message sent on to Olly Betts <olly@survex.com>:
Bug#692076. (Thu, 22 Nov 2012 09:48:09 GMT) Full text and rfc822 format available.

Message #36 received at 692076-submitter@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 692076-submitter@bugs.debian.org
Cc: 692073@bugs.debian.org
Subject: proposal approved
Date: Thu, 22 Nov 2012 09:46:37 +0000
[Message part 1 (text/plain, inline)]
Our proposed method is to fix the two bugs in a minimal change new
upstream 0.94.4 release. This will involve making the change for
src/xlsparse.c and fixing the released tarball with no other changes.

The latest this should be complete (including the upload of the new
upstream release to close these two bugs in unstable) is expected to be
the end of next week. If it can be moved up, we will. 

A few days after the bugs are closed in unstable, Nick will file the
unblock request to get the changes into Wheezy.

The new release will be done in a branch in SVN and then the changes
pushed back into trunk at a later date. The cmake branch will likely be
merged at that point as well, getting us finally to 0.95.0 or possibly
even 1.0.0. At some point (after Wheezy), there will be another new
upstream release and that will be uploaded to go into Jessie and
backported to Wheezy-backports.



-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Nick Bane <nick@enomem.co.uk>:
Bug#692076; Package catdoc. (Mon, 03 Dec 2012 20:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Bane <nick@enomem.co.uk>. (Mon, 03 Dec 2012 20:48:07 GMT) Full text and rfc822 format available.

Message #41 received at 692076@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 692073@bugs.debian.org
Cc: 692076@bugs.debian.org
Subject: catdoc NMU by upstream
Date: Mon, 3 Dec 2012 19:02:22 +0000
[Message part 1 (text/plain, inline)]
I'm part of the upstream for catdoc, so as Nick Bane has suddenly been
diverted by RealLife and cannot make the changes for sponsoring, I've
made the changes upstream and NMU'd the Debian package.

The changes principally involve fixing tarball.sh as the current hacky
way that the catdoc orig tarball is created and then applying the patch
for the buffer overflow.

(The next upstream release of catdoc is scheduled to use cmake which
will remove all of these historical autotools problems.)

The upstream changes are confined to removing the .pc directory,
updating the package version string and then applying the patch
directly to the upstream.

I'll file the unblock request with the attached diff once catdoc has
been in unstable for a few days.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[nmu.diff (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Neil Williams <codehelp@debian.org>:
You have taken responsibility. (Mon, 03 Dec 2012 21:45:11 GMT) Full text and rfc822 format available.

Notification sent to Olly Betts <olly@survex.com>:
Bug acknowledged by developer. (Mon, 03 Dec 2012 21:45:11 GMT) Full text and rfc822 format available.

Message #46 received at 692076-close@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: 692076-close@bugs.debian.org
Subject: Bug#692076: fixed in catdoc 0.94.4-1.1
Date: Mon, 03 Dec 2012 19:02:30 +0000
Source: catdoc
Source-Version: 0.94.4-1.1

We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil Williams <codehelp@debian.org> (supplier of updated catdoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Dec 2012 18:22:47 +0000
Source: catdoc
Binary: catdoc
Architecture: source amd64
Version: 0.94.4-1.1
Distribution: unstable
Urgency: low
Maintainer: Nick Bane <nick@enomem.co.uk>
Changed-By: Neil Williams <codehelp@debian.org>
Description: 
 catdoc     - MS-Word to TeX or plain text converter
Closes: 692073 692076
Changes: 
 catdoc (0.94.4-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * New upstream release to remove .pc subdirectory from
     the orig tarball (Closes: #692073). Includes updating
     version strings in generated manpages.
   * Remove extra ';' in src/xlsparse.c which turned for loop in
     xlsparse into a buffer overflow (Closes: #692076), applies
     patch by Olly Betts <olly@survex.com>.
Checksums-Sha1: 
 ddac77822dcd7a52814e5198d9ba6103449f87e5 1660 catdoc_0.94.4-1.1.dsc
 26c9addb221543288c013ecadf4f6fb0c9eca13e 679156 catdoc_0.94.4.orig.tar.gz
 c20e6fbfcb7626a6364105c917908cbb9c501d9f 6737 catdoc_0.94.4-1.1.debian.tar.gz
 452b1fa274f0e3ad578b1923c37aad09334e7141 650036 catdoc_0.94.4-1.1_amd64.deb
Checksums-Sha256: 
 df4acb56d57d30d9aac033dca98a0120e6431ff96f2b317bdfc5d73abaeb8c87 1660 catdoc_0.94.4-1.1.dsc
 c06fd69d2a218fcc2ed1320988cef07a67cf5555a12f25752766d746e25758ee 679156 catdoc_0.94.4.orig.tar.gz
 e1db6aad9433d6d18933634e803aa89f0bc9c13cf1fae811dc84779029f0b616 6737 catdoc_0.94.4-1.1.debian.tar.gz
 130513f8439f8ceb416c3d180c117367e84220fe4bd4ad5ed3071c5e08b3ae2f 650036 catdoc_0.94.4-1.1_amd64.deb
Files: 
 09b0edb76101f096538a5c7aeb379e62 1660 text optional catdoc_0.94.4-1.1.dsc
 4820680e3611392caf2b4dd2413bfae5 679156 text optional catdoc_0.94.4.orig.tar.gz
 0a4802437bf6d9bcb21cce19f96dd175 6737 text optional catdoc_0.94.4-1.1.debian.tar.gz
 c6767577170098eda6eed6cd07b67d1b 650036 text optional catdoc_0.94.4-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQvPWMAAoJEPFn5DyBQ7aC8G4QAJUvinCIci4PyZn+VOv8Ko1r
xlCBoYEhZL6sSAh383KJkxvHAoNmqio9I5ytbPG073RUDLUklTWIUv+MC8ftsAo2
rRSmnBIQVqVH3zv9KYms7hc7ml7u9Hq7KU2F6lzGdgOvgbXkdGG28BZ2w3sfV3hN
lCMRXzWr7x6Lx5MA8fiL1KGQ2COMEvGgpjQcwvDdcaefXz1iUefh+aPC64SPvBJX
fiDnrBeWKexXPVwhm3hNGm658nXnRa3zsBsNjlue9aGdvCQ8oa0hE4bC02Sodf54
WUtFUvWPWo1T66vqwHXvP8MmFyHpLTfVtyTD1H+H7P7vp3Mi+Fjp7hyWcK4m44wK
XNFM6U11YsssmEbvYkmRexE1+2vKqHVADST8hIg84+nE6hTyFodAntrI5AeV+imO
o1LT6dIC9dep0HMIxPQ8+hHVeNVqoFV3dtBPBV7+HthhPj0ph/Ze0rwFRkLJ5V9k
KnlT9pfSktWr1C1G8s0CZOUkrLNzRbeb1HAfN4i/8O/7l7EAv/S9L5/oC7LwSEqy
EujRizdBXdkaSNsPJQnEN4u7PRMUqhHs61IYit1kVrld1HnrsjZSw9Jr3GYdke+H
4xiTtymkgFkpPJ5NUuzkVAEM2Wyx2iFBpdSWGTZAytyC23NzFMhm97YqRAciTrMP
396mixthDLxZFvLKVfy0
=IOC0
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 11 Jan 2013 07:28:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:09:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.