Bug 170030 - CAN-2005-2972 abiword multiple buffer overflows
Summary: CAN-2005-2972 abiword multiple buffer overflows
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: abiword
Version: 3
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact: Mike McLean
URL:
Whiteboard: impact=low,source=vendorsec,reported=...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-06 17:38 UTC by Josh Bressers
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.0.12-12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-20 13:35:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Proposed upstream patch (5.66 KB, patch)
2005-10-06 17:38 UTC, Josh Bressers
no flags Details | Diff

Description Josh Bressers 2005-10-06 17:38:04 UTC
This was reported to vendor-sec by chris evans:

Bad news, I'm afraid - I located 10 mins to have a look at the Abiword
(2.2.10) RTF importer code and there look to be multiple additional
buffer overflow vulnerabilities. Here are the ones I found with a
quick scan:

(All in ie_imp_RTF.cpp).

1) ParseLevelText, line 411 - apparent overflow of stack-based buffer
iLevelText.

2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword.

3) HandleLists, line 8221 - overflow. Demo at
http://scary.beasts.org/misc/abi1.rtf

4) HandleLists, line 8224, 8228 - apparent overflows.

5) HandleAbiLists, line 8979 - overflow. Demo at
http://scary.beasts.org/misc/abi2.rtf

6) HandleAbiLists - various lines. Additional similarly coded
overflows to item 5).

7) HandleAbiLists, line 8984 - apparent overflow.

8) HandleAbiLists - various lines. Additional similarly coded
overflows to item 7).

Comment 1 Josh Bressers 2005-10-06 17:38:05 UTC
Created attachment 119680 [details]
Proposed upstream patch

Comment 3 Josh Bressers 2005-10-13 20:29:21 UTC
Lifting embargo

Comment 4 Fedora Update System 2005-10-14 03:50:17 UTC
From User-Agent: XML-RPC

abiword-2.0.12-11 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 5 Matthew Miller 2005-10-14 19:54:15 UTC
This update breaks reading wordperfect documents. (Not linked against libwpd,
which was just updated as well.)

Comment 6 Caolan McNamara 2005-10-20 13:35:52 UTC
will follow up libwpd issue under bug 170869


Note You need to log in before you can comment on or make changes to this bug.