Bug 1489337
| Summary: | There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||||||
| Component: | libwpd | Assignee: | Caolan McNamara <caolanm> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.4 | CC: | alexl, caillon+fedoraproject, caolanm, dtardon, rhughes, rstrode, sandmann, tis | ||||||||
| Target Milestone: | rc | Keywords: | Security | ||||||||
| Target Release: | 7.5 | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2020-04-27 12:05:37 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1491812 | ||||||||||
| Attachments: |
|
||||||||||
libwpd is not epel package. Please move this to rhel. Created attachment 1323059 [details]
extracted from rar
Created attachment 1323097 [details]
proposed fix
libwpd-0.10.1-8.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8 libwpd-0.10.1-8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9 libwpd-0.10.1-8.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca libwpd-0.10.1-8.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca libwpd-0.10.1-8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9 libwpd-0.10.1-8.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8 libwpd-0.10.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2 libwpd-0.10.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc libwpd-0.10.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536 libwpd-0.10.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2 libwpd-0.10.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc libwpd-0.10.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536 Development Management has reviewed and declined this request. You may appeal this decision by using your Red Hat support channels, who will make certain the issue receives the proper prioritization with product and development management. https://www.redhat.com/support/process/production/#howto |
Created attachment 1322984 [details] Triggered by "./wpd2html POC1" Description of problem: There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./wpd2html POC1 Steps to Reproduce: ================================================================= ==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268 READ of size 4 at 0x60400000dc44 thread T0 #0 0x7ffff7ad9910 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) #1 0x7ffff7acfaaa (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa) #2 0x7ffff7ad1ef2 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2) #3 0x7ffff7b37554 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554) #4 0x7ffff7a86cf6 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6) #5 0x7ffff7aa944f (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f) #6 0x7ffff7a975cb (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb) #7 0x7ffff7a9835e (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e) #8 0x7ffff7b3628c (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c) #9 0x4ee0d5 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5) #10 0x7ffff611682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x4194d8 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8) 0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40) allocated by thread T0 here: #0 0x4eabd0 (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0) #1 0x7ffff7b5de49 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49) #2 0x7ffff7b5a3e4 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4) #3 0x7ffff7adb15b (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b) #4 0x7ffff7acf975 (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) Shadow bytes around the buggy address: 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00 =>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00 0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==115429==ABORTING [Inferior 1 (process 115429) exited with code 01] $./wpd2html POC1 Segmentation fault The GDB debugging information is as follow: (gdb)set args POC1 (gdb)r (gdb) i b Num Type Disp Enb Address What 5 breakpoint keep y 0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) at WPXTable.cpp:170 breakpoint already hit 18 times (gdb) p m_refCount $7 = (int *) 0x6e616d6f522077 (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 170 (*m_refCount)++; (gdb) bt #0 0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170 #1 0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66 #2 WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94 #3 0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP5Parser.cpp:102 #4 0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420) at WP5Parser.cpp:234 #5 0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, fileFormat=<optimized out>) at WPDocument.cpp:460 #6 0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320) at WP3ContentListener.cpp:867 #7 0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144 #8 0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, encryption=<optimized out>) at WP3Parser.cpp:107 #9 WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>) at WP3Parser.cpp:76 #10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153 #11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0) at WPDocument.cpp:345 #12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116 There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 165 WPXTableList::WPXTableList(const WPXTableList &tableList) : 166 m_tableList(tableList.get()), 167 m_refCount(tableList.getRef()) 168 { 169 if (m_refCount) 170 (*m_refCount)++; 171 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.