The xls2csv tool in catdoc through version 0.95 has a global-buffer-overflow vulnerability in the xlsparse.c:format_rk() function. An attacker could exploit this to crash xls2csv. External Reference: http://seclists.org/fulldisclosure/2018/May/29
Created catdoc tracking bugs for this issue: Affects: epel-all [bug 1579628] Affects: fedora-all [bug 1579629]
Reproduced on F27 with catdoc-0.95-3.fc27.src.rpm: $ ./src/xls2csv ~/Downloads/case15841 Format code 638 is used before definition ...[snip]... Format code 16640 is used before definition ================================================================= ==25193==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061b2d0 at pc 0x0000004067a9 bp 0x7ffc691edab0 sp 0x7ffc691edaa0 READ of size 1 at 0x00000061b2d0 thread T0 #0 0x4067a8 in format_rk /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:716 #1 0x404f91 in process_item /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:325 #2 0x4040a8 in do_table /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:116 #3 0x402a2c in main /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xls2csv.c:167 #4 0x7ff5373e6f29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #5 0x401cf9 in _start (/home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xls2csv+0x401cf9) 0x00000061b2d0 is located 0 bytes to the right of global variable 'rec' defined in 'xlsparse.c:22:22' (0x616c80) of size 18000 0x00000061b2d0 is located 48 bytes to the left of global variable 'biff_version' defined in 'xlsparse.c:23:5' (0x61b300) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:716 in format_rk Shadow bytes around the buggy address: 0x0000800bb600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bb610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bb620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bb630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bb640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800bb650: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 0x0000800bb660: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000800bb670: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000800bb680: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000800bb690: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000800bb6a0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==25193==ABORTING
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.