Bug 170030 - CAN-2005-2972 abiword multiple buffer overflows
CAN-2005-2972 abiword multiple buffer overflows
Product: Fedora
Classification: Fedora
Component: abiword (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Caolan McNamara
Mike McLean
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-10-06 13:38 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.0.12-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-20 09:35:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed upstream patch (5.66 KB, patch)
2005-10-06 13:38 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-10-06 13:38:04 EDT
This was reported to vendor-sec by chris evans:

Bad news, I'm afraid - I located 10 mins to have a look at the Abiword
(2.2.10) RTF importer code and there look to be multiple additional
buffer overflow vulnerabilities. Here are the ones I found with a
quick scan:

(All in ie_imp_RTF.cpp).

1) ParseLevelText, line 411 - apparent overflow of stack-based buffer

2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword.

3) HandleLists, line 8221 - overflow. Demo at

4) HandleLists, line 8224, 8228 - apparent overflows.

5) HandleAbiLists, line 8979 - overflow. Demo at

6) HandleAbiLists - various lines. Additional similarly coded
overflows to item 5).

7) HandleAbiLists, line 8984 - apparent overflow.

8) HandleAbiLists - various lines. Additional similarly coded
overflows to item 7).
Comment 1 Josh Bressers 2005-10-06 13:38:05 EDT
Created attachment 119680 [details]
Proposed upstream patch
Comment 3 Josh Bressers 2005-10-13 16:29:21 EDT
Lifting embargo
Comment 4 Fedora Update System 2005-10-13 23:50:17 EDT
From User-Agent: XML-RPC

abiword-2.0.12-11 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 5 Matthew Miller 2005-10-14 15:54:15 EDT
This update breaks reading wordperfect documents. (Not linked against libwpd,
which was just updated as well.)
Comment 6 Caolan McNamara 2005-10-20 09:35:52 EDT
will follow up libwpd issue under bug 170869

Note You need to log in before you can comment on or make changes to this bug.