This was reported to vendor-sec by chris evans: Bad news, I'm afraid - I located 10 mins to have a look at the Abiword (2.2.10) RTF importer code and there look to be multiple additional buffer overflow vulnerabilities. Here are the ones I found with a quick scan: (All in ie_imp_RTF.cpp). 1) ParseLevelText, line 411 - apparent overflow of stack-based buffer iLevelText. 2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword. 3) HandleLists, line 8221 - overflow. Demo at http://scary.beasts.org/misc/abi1.rtf 4) HandleLists, line 8224, 8228 - apparent overflows. 5) HandleAbiLists, line 8979 - overflow. Demo at http://scary.beasts.org/misc/abi2.rtf 6) HandleAbiLists - various lines. Additional similarly coded overflows to item 5). 7) HandleAbiLists, line 8984 - apparent overflow. 8) HandleAbiLists - various lines. Additional similarly coded overflows to item 7).
Created attachment 119680 [details] Proposed upstream patch
Lifting embargo
From User-Agent: XML-RPC abiword-2.0.12-11 has been pushed for FC3, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
This update breaks reading wordperfect documents. (Not linked against libwpd, which was just updated as well.)
will follow up libwpd issue under bug 170869