Bug 170030

Summary: CAN-2005-2972 abiword multiple buffer overflows
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: abiwordAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact: Mike McLean <mikem>
Severity: low Docs Contact:
Priority: medium    
Version: 3CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=vendorsec,reported=20051002,embargo=yes
Fixed In Version: 2.0.12-12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-20 13:35:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed upstream patch none

Description Josh Bressers 2005-10-06 17:38:04 UTC 
This was reported to vendor-sec by chris evans:

Bad news, I'm afraid - I located 10 mins to have a look at the Abiword
(2.2.10) RTF importer code and there look to be multiple additional
buffer overflow vulnerabilities. Here are the ones I found with a
quick scan:

(All in ie_imp_RTF.cpp).

1) ParseLevelText, line 411 - apparent overflow of stack-based buffer
iLevelText.

2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword.

3) HandleLists, line 8221 - overflow. Demo at
http://scary.beasts.org/misc/abi1.rtf

4) HandleLists, line 8224, 8228 - apparent overflows.

5) HandleAbiLists, line 8979 - overflow. Demo at
http://scary.beasts.org/misc/abi2.rtf

6) HandleAbiLists - various lines. Additional similarly coded
overflows to item 5).

7) HandleAbiLists, line 8984 - apparent overflow.

8) HandleAbiLists - various lines. Additional similarly coded
overflows to item 7).
Comment 1 Josh Bressers 2005-10-06 17:38:05 UTC 
Created attachment 119680 [details]
Proposed upstream patch
Comment 3 Josh Bressers 2005-10-13 20:29:21 UTC 
Lifting embargo
Comment 4 Fedora Update System 2005-10-14 03:50:17 UTC 
From User-Agent: XML-RPC

abiword-2.0.12-11 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 5 Matthew Miller 2005-10-14 19:54:15 UTC 
This update breaks reading wordperfect documents. (Not linked against libwpd,
which was just updated as well.)
Comment 6 Caolan McNamara 2005-10-20 13:35:52 UTC 
will follow up libwpd issue under bug 170869