Bug 217738 - CVE-2006-6120 koffice integer overflow
Summary: CVE-2006-6120 koffice integer overflow
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: koffice   
(Show other bugs)
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20061122,pu...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-29 18:11 UTC by Josh Bressers
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0010
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-20 16:55:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from Kees (3.38 KB, patch)
2006-11-29 18:20 UTC, Josh Bressers
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0010 normal SHIPPED_LIVE Moderate: koffice security update 2007-02-20 16:55:36 UTC

Description Josh Bressers 2006-11-29 18:11:26 UTC
Kees Cook discovered an integer overflow flaw in koffice.  Here are the details
from Kees:

    While digging into a segv-during-mem-read crash reported to us, I
    discovered that it was possible to overwrite heap memory using a crafted
    PPT file.  The problem is in filters/olefilters/lib/klaola.cc (which
    I think was removed in the 1.5.x koffice tree, and put back in 1.6.x):

void KLaola::readBigBlockDepot() {
    bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks];
    for(unsigned int i=0; i<num_of_bbd_blocks; ++i)
        memcpy(&bigBlockDepot[i*0x200], &m_file.data[(bbd_list[i]+1)*0x200], 0x200);
}

    num_of_bbd_blocks comes directly from the file being read and can wrap
    when multiplied, reading file contents into heap memory.  I think it
    could be exploited, but it would be tricky, since you need to not write
    past the end of the heap segment when doing it.  At least on my amd64
    machine this looks to be possible, though glibc notices the problem and
    tries to shut down

Comment 2 Josh Bressers 2006-11-29 18:20:57 UTC
Created attachment 142398 [details]
Proposed patch from Kees

Comment 5 Josh Bressers 2006-12-06 14:40:17 UTC
This is now public

Comment 9 Red Hat Bugzilla 2007-02-20 16:55:38 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0010.html



Note You need to log in before you can comment on or make changes to this bug.