Bug 1489337 - There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice.
Summary: There is a heap overflow in libwpd. This vulnerability has been triggered in...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libwpd
Version: 7.4
Hardware: All
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: 7.5
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-14226
TreeView+ depends on / blocked
 
Reported: 2017-09-07 08:58 UTC by owl337
Modified: 2020-04-27 12:05 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-27 12:05:37 UTC
Target Upstream Version:


Attachments (Terms of Use)
Triggered by "./wpd2html POC1" (435 bytes, application/x-rar)
2017-09-07 08:58 UTC, owl337
no flags Details
extracted from rar (1.49 KB, application/vnd.wordperfect)
2017-09-07 11:02 UTC, Caolan McNamara
no flags Details
proposed fix (1.95 KB, patch)
2017-09-07 13:11 UTC, Caolan McNamara
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Document Foundation 112269 None None None 2017-09-07 11:06:39 UTC

Description owl337 2017-09-07 08:58:29 UTC
Created attachment 1322984 [details]
Triggered by  "./wpd2html POC1"

Description of problem:

There is a heap overflow in libwpd. This vulnerability has been triggered in libreoffice. It may be exist in other office applications.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./wpd2html POC1

Steps to Reproduce:


=================================================================
==115429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dc44 at pc 0x7ffff7ad9911 bp 0x7fffffffd270 sp 0x7fffffffd268
READ of size 4 at 0x60400000dc44 thread T0
    #0 0x7ffff7ad9910  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910)
    #1 0x7ffff7acfaaa  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9baaa)
    #2 0x7ffff7ad1ef2  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9def2)
    #3 0x7ffff7b37554  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x103554)
    #4 0x7ffff7a86cf6  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x52cf6)
    #5 0x7ffff7aa944f  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x7544f)
    #6 0x7ffff7a975cb  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x635cb)
    #7 0x7ffff7a9835e  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x6435e)
    #8 0x7ffff7b3628c  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x10228c)
    #9 0x4ee0d5  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4ee0d5)
    #10 0x7ffff611682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x4194d8  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4194d8)

0x60400000dc44 is located 4 bytes to the right of 48-byte region [0x60400000dc10,0x60400000dc40)
allocated by thread T0 here:
    #0 0x4eabd0  (/home/icy/real/libwpd-0.10.1-asan/install/bin/wpd2html+0x4eabd0)
    #1 0x7ffff7b5de49  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x129e49)
    #2 0x7ffff7b5a3e4  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x1263e4)
    #3 0x7ffff7adb15b  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa715b)
    #4 0x7ffff7acf975  (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0x9b975)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/libwpd-0.10.1-asan/install/lib/libwpd-0.10.so.10+0xa5910) 
Shadow bytes around the buggy address:
  0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff9b80: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
  0x0c087fff9b90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9bd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==115429==ABORTING
[Inferior 1 (process 115429) exited with code 01]


$./wpd2html POC1
Segmentation fault

The GDB debugging information is as follow:

(gdb)set args POC1
(gdb)r
(gdb) i b
Num     Type           Disp Enb Address            What
5       breakpoint     keep y   0x00007ffff7b87f37 in WPXTableList::WPXTableList(WPXTableList const&) 
                                                   at WPXTable.cpp:170
	breakpoint already hit 18 times
(gdb) p m_refCount 
$7 = (int *) 0x6e616d6f522077
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
170			(*m_refCount)++;
(gdb) bt
#0  0x00007ffff7b87f5d in WPXTableList::WPXTableList (this=0x7fffffffdbf8, tableList=...) at WPXTable.cpp:170
#1  0x00007ffff7b37b6f in WPXHeaderFooter::getTableList (this=<optimized out>) at ./WPXPageSpan.h:66
#2  WP5StylesListener::insertBreak (this=<optimized out>, breakType=<optimized out>) at WP5StylesListener.cpp:94
#3  0x00007ffff7b31a01 in WP5Parser::parseDocument (input=<optimized out>, encryption=<optimized out>, 
    listener=<optimized out>) at WP5Parser.cpp:102
#4  0x00007ffff7b332bd in WP5Parser::parseSubDocument (this=0x6284c0, documentInterface=0x7fffffffe420)
    at WP5Parser.cpp:234
#5  0x00007ffff7b6f5da in libwpd::WPDocument::parseSubDocument (input=0x6272c0, textInterface=0x7fffffffe420, 
    fileFormat=<optimized out>) at WPDocument.cpp:460
#6  0x00007ffff7b0492a in WP3ContentListener::insertWP51Table (this=0x7fffffffe1c8, height=<optimized out>, 
    width=<optimized out>, verticalOffset=<optimized out>, horizontalOffset=<optimized out>, 
    leftColumn=<optimized out>, rightColumn=<optimized out>, figureFlags=65535, subDocument=0x627280, caption=0x627320)
    at WP3ContentListener.cpp:867
#7  0x00007ffff7b19826 in WP3WindowGroup::parse (this=0x6287e0, listener=0x7fffffffe1c8) at WP3WindowGroup.cpp:144
#8  0x00007ffff7b0deee in WP3Parser::parseDocument (input=<optimized out>, listener=<optimized out>, 
    encryption=<optimized out>) at WP3Parser.cpp:107
#9  WP3Parser::parse (this=<optimized out>, input=<optimized out>, encryption=<optimized out>, listener=<optimized out>)
    at WP3Parser.cpp:76
#10 0x00007ffff7b0e742 in WP3Parser::parse (this=<optimized out>, textInterface=<optimized out>) at WP3Parser.cpp:153
#11 0x00007ffff7b6e6a1 in libwpd::WPDocument::parse (input=<optimized out>, textInterface=<optimized out>, password=0x0)
    at WPDocument.cpp:345
#12 0x00000000004018f2 in main (argc=<optimized out>, argv=<optimized out>) at wpd2html.cpp:116


There is a error memory access in the function WPXTableList::WPXTableList() at line WPXTable.cpp:170. 
165 WPXTableList::WPXTableList(const WPXTableList &tableList) :
166         m_tableList(tableList.get()),
167         m_refCount(tableList.getRef())
168 {
169         if (m_refCount)
170                 (*m_refCount)++;
171 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer CollAFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Tuomo Soini 2017-09-07 09:42:40 UTC
libwpd is not epel package. Please move this to rhel.

Comment 3 Caolan McNamara 2017-09-07 11:02:21 UTC
Created attachment 1323059 [details]
extracted from rar

Comment 4 Caolan McNamara 2017-09-07 12:44:57 UTC
https://sourceforge.net/p/libwpd/tickets/14/

Comment 5 Caolan McNamara 2017-09-07 13:11:44 UTC
Created attachment 1323097 [details]
proposed fix

Comment 6 Fedora Update System 2017-09-07 13:31:34 UTC
libwpd-0.10.1-8.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8

Comment 7 Fedora Update System 2017-09-07 13:31:42 UTC
libwpd-0.10.1-8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9

Comment 8 Fedora Update System 2017-09-07 13:31:50 UTC
libwpd-0.10.1-8.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca

Comment 9 Fedora Update System 2017-09-07 18:24:15 UTC
libwpd-0.10.1-8.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7096a9fdca

Comment 10 Fedora Update System 2017-09-08 00:24:47 UTC
libwpd-0.10.1-8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6314903eb9

Comment 11 Fedora Update System 2017-09-08 01:22:01 UTC
libwpd-0.10.1-8.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-40a66b18c8

Comment 12 Fedora Update System 2017-09-13 10:57:50 UTC
libwpd-0.10.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2

Comment 13 Fedora Update System 2017-09-13 10:58:03 UTC
libwpd-0.10.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc

Comment 14 Fedora Update System 2017-09-13 10:58:21 UTC
libwpd-0.10.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536

Comment 15 Fedora Update System 2017-09-13 19:24:34 UTC
libwpd-0.10.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5128c8cfe2

Comment 16 Fedora Update System 2017-09-14 04:53:00 UTC
libwpd-0.10.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc

Comment 17 Fedora Update System 2017-09-14 05:50:16 UTC
libwpd-0.10.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e66393536

Comment 20 RHEL Program Management 2020-04-27 12:05:37 UTC
Development Management has reviewed and declined this request. You may appeal this decision by using your Red Hat support channels, who will make certain  the issue receives the proper prioritization with product and development management.

https://www.redhat.com/support/process/production/#howto


Note You need to log in before you can comment on or make changes to this bug.