Kees Cook discovered an integer overflow flaw in koffice. Here are the details from Kees: While digging into a segv-during-mem-read crash reported to us, I discovered that it was possible to overwrite heap memory using a crafted PPT file. The problem is in filters/olefilters/lib/klaola.cc (which I think was removed in the 1.5.x koffice tree, and put back in 1.6.x): void KLaola::readBigBlockDepot() { bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks]; for(unsigned int i=0; i<num_of_bbd_blocks; ++i) memcpy(&bigBlockDepot[i*0x200], &m_file.data[(bbd_list[i]+1)*0x200], 0x200); } num_of_bbd_blocks comes directly from the file being read and can wrap when multiplied, reading file contents into heap memory. I think it could be exploited, but it would be tricky, since you need to not write past the end of the heap segment when doing it. At least on my amd64 machine this looks to be possible, though glibc notices the problem and tries to shut down
Created attachment 142398 [details] Proposed patch from Kees
This is now public
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0010.html