Bug 1601233
| Summary: | one null pointer deference bug in stradd in fileutil.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | rookie <92wyunchao> | ||||
| Component: | catdoc | Assignee: | Robert Scheck <redhat-bugzilla> | ||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | adel.gadllah, redhat-bugzilla | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2024-07-09 02:28:34 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug. |
Created attachment 1458982 [details] poc to reproduce the crash Description of problem: There exists one null pointer deference bug in stradd in fileutil.c in catdoc0.95 which allows attacker to cause a denial-of-service via a crafted xls file.This bug can be triggered by the executable xls2csv. Version-Release number of selected component (if applicable): catdoc-0.95 How reproducible: xls2csv $poc Actual results: ASan: ==38018==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f550749b746 bp 0x7ffd37a6f9c0 sp 0x7ffd37a6f158 T0) #0 0x7f550749b745 in strlen /build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76 #1 0x436aac in __interceptor_strlen.part.45 asan_interceptors.cc.o #2 0x4f5447 in stradd /home/s2e/catdoc-0.95/src/fileutil.c:124 #3 0x4f1287 in read_charset /home/s2e/catdoc-0.95/src/charsets.c:79 #4 0x4edb6f in process_item /home/s2e/catdoc-0.95/src/xlsparse.c:159 #5 0x4ed291 in do_table /home/s2e/catdoc-0.95/src/xlsparse.c:116 #6 0x4eb211 in main /home/s2e/catdoc-0.95/src/xls2csv.c:167 #7 0x7f550743082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x419048 in _start (/home/s2e/catdoc-0.95/src/xls2csv+0x419048)