Bug 872390

Summary: catdoc: buffer overflow flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adel.gadllah, jrusnack, lersek, pertusus, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121101,reported=20121101,source=debian,cvss2=2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P,fedora-all/catdoc=affected,epel-all/catdoc=affected,cwe=CWE-787
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-13 16:47:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 872391, 872392    
Bug Blocks:    

Description Vincent Danen 2012-11-01 21:22:24 EDT
A Debian bug report [1] noted that there is a buffer overflow in catdoc's src/xlsparse.c, which contains:

        for (i=0;i<NUMOFDATEFORMATS; i++);

Because of the ";" at the end of the first line, it effectively sets i to NUMOFDATEFORMATS, which will cause it to write past defined buffer.  This could lead to a denial of service (crash of catdoc).  The Debian bug report indicates that this could possibly be used for worse things than a crash, but I'm not sure (I can see it writing past the end of the buffer, but all it is writing is 0's and not anything user-defined).

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692076
Comment 1 Vincent Danen 2012-11-01 21:23:17 EDT
Created catdoc tracking bugs for this issue

Affects: fedora-all [bug 872391]
Affects: epel-all [bug 872392]
Comment 4 Fedora Update System 2014-10-28 06:59:30 EDT
catdoc-0.94.2-10.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-10-28 07:04:41 EDT
catdoc-0.94.2-10.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.