Red Hat Bugzilla – Bug 872390
catdoc: buffer overflow flaw
Last modified: 2015-04-14 02:20:22 EDT
A Debian bug report  noted that there is a buffer overflow in catdoc's src/xlsparse.c, which contains:
for (i=0;i<NUMOFDATEFORMATS; i++);
Because of the ";" at the end of the first line, it effectively sets i to NUMOFDATEFORMATS, which will cause it to write past defined buffer. This could lead to a denial of service (crash of catdoc). The Debian bug report indicates that this could possibly be used for worse things than a crash, but I'm not sure (I can see it writing past the end of the buffer, but all it is writing is 0's and not anything user-defined).
Created catdoc tracking bugs for this issue
Affects: fedora-all [bug 872391]
Affects: epel-all [bug 872392]
catdoc-0.94.2-10.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
catdoc-0.94.2-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.