Bug 169486 - CAN-2005-2971 kword buffer overflow
CAN-2005-2971 kword buffer overflow
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: koffice (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: Ngo Than
impact=low,source=vendorsec,reported=...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-28 15:23 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-25 07:47:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-09-28 15:23:53 EDT
This issue was reported by Chris Evans:

CESA-2005-005 - rev 1

KWord RTF import heap corruption
================================

Programs affected: KWord
Severity: Possible arbitrary code execution.
Discovered date: Forgotten
Vendor notified date: Sep 22nd 2005

Demo RTF: http://scary.beasts.org/misc/out27.rtf
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2)

rpm -q koffice-kword
koffice-kword-1.4.1-4.fc4

Resultant stack trace:

(gdb) bt
#0  0x06d0706c in _int_malloc () from /lib/libc.so.6
#1  0x06d08492 in malloc () from /lib/libc.so.6
#2  0x06aaef56 in operator new () from /usr/lib/libstdc++.so.6
#3  0x06aaf06d in operator new[] () from /usr/lib/libstdc++.so.6
#4  0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#5  0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#6  0x012d8143 in QString::operator+= () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#7  0x007466f9 in RTFImport::convert () from /usr/lib/kde3/librtfimport.so

CESA-2005-005 - rev 1
Chris Evans
Comment 4 Josh Bressers 2005-10-11 18:10:37 EDT
Lifting embargo
Comment 5 Fedora Update System 2005-10-13 23:49:37 EDT
From User-Agent: XML-RPC

koffice-1.4.2-0.FC3.2 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 6 Kevin Kofler 2005-10-15 07:19:10 EDT
Still no update for FC4 Extras. :-(
I filed Bug 170903 for FC4.
Comment 7 Mark J. Cox (Product Security) 2005-10-25 07:47:06 EDT
FEDORA-2005-984

Note You need to log in before you can comment on or make changes to this bug.