Red Hat Bugzilla – Bug 170030
CAN-2005-2972 abiword multiple buffer overflows
Last modified: 2007-11-30 17:11:14 EST
This was reported to vendor-sec by chris evans:
Bad news, I'm afraid - I located 10 mins to have a look at the Abiword
(2.2.10) RTF importer code and there look to be multiple additional
buffer overflow vulnerabilities. Here are the ones I found with a
(All in ie_imp_RTF.cpp).
1) ParseLevelText, line 411 - apparent overflow of stack-based buffer
2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword.
3) HandleLists, line 8221 - overflow. Demo at
4) HandleLists, line 8224, 8228 - apparent overflows.
5) HandleAbiLists, line 8979 - overflow. Demo at
6) HandleAbiLists - various lines. Additional similarly coded
overflows to item 5).
7) HandleAbiLists, line 8984 - apparent overflow.
8) HandleAbiLists - various lines. Additional similarly coded
overflows to item 7).
Created attachment 119680 [details]
Proposed upstream patch
From User-Agent: XML-RPC
abiword-2.0.12-11 has been pushed for FC3, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
This update breaks reading wordperfect documents. (Not linked against libwpd,
which was just updated as well.)
will follow up libwpd issue under bug 170869