Bug 1579627 - catdoc: global-buffer-overflow in xlsparse.c:format_rk() causes crash
Summary: catdoc: global-buffer-overflow in xlsparse.c:format_rk() causes crash
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1579628 1579629
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-18 04:43 UTC by Sam Fowler
Modified: 2021-02-17 00:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:23:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Sam Fowler 2018-05-18 04:43:31 UTC
The xls2csv tool in catdoc through version 0.95 has a global-buffer-overflow vulnerability in the xlsparse.c:format_rk() function. An attacker could exploit this to crash xls2csv.


External Reference:

http://seclists.org/fulldisclosure/2018/May/29

Comment 1 Sam Fowler 2018-05-18 04:43:50 UTC
Created catdoc tracking bugs for this issue:

Affects: epel-all [bug 1579628]
Affects: fedora-all [bug 1579629]

Comment 2 Sam Fowler 2018-05-18 04:46:01 UTC
Reproduced on F27 with catdoc-0.95-3.fc27.src.rpm:

$ ./src/xls2csv ~/Downloads/case15841
Format code 638 is used before definition
...[snip]...
Format code 16640 is used before definition
=================================================================
==25193==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061b2d0 at pc 0x0000004067a9 bp 0x7ffc691edab0 sp 0x7ffc691edaa0
READ of size 1 at 0x00000061b2d0 thread T0
    #0 0x4067a8 in format_rk /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:716
    #1 0x404f91 in process_item /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:325
    #2 0x4040a8 in do_table /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:116
    #3 0x402a2c in main /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xls2csv.c:167
    #4 0x7ff5373e6f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #5 0x401cf9 in _start (/home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xls2csv+0x401cf9)

0x00000061b2d0 is located 0 bytes to the right of global variable 'rec' defined in 'xlsparse.c:22:22' (0x616c80) of size 18000
0x00000061b2d0 is located 48 bytes to the left of global variable 'biff_version' defined in 'xlsparse.c:23:5' (0x61b300) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow /home/sfowler/rpmbuild/BUILD/catdoc-0.95/src/xlsparse.c:716 in format_rk
Shadow bytes around the buggy address:
  0x0000800bb600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bb640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb650: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9
  0x0000800bb660: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb670: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb680: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb690: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800bb6a0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25193==ABORTING

Comment 3 Product Security DevOps Team 2019-06-10 10:23:31 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.