unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions

Debian Bug report logs - #849705
unrtf: CVE-2016-10091: stack-based buffer overflows in cmd_* functions

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Skylake <skyl@protonmail.com>

To: "submit@bugs.debian.org" <submit@bugs.debian.org>

Subject: unrtf: Stack buffer overflow

Date: Thu, 29 Dec 2016 19:44:14 -0500

[Message part 1 (text/plain, inline)]

Package: unrtf
Version: 0.21.9-clean-2

I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three functions including: cmd_expand, cmd_emboss and cmd_engrave.

# convert.c

static int
cmd_expand (Word *w, int align, char has_param, int param) {
char str[10];
if (has_param) {
sprintf(str, "%d", param/4); // Overflow, 9-digit negative value triggers the bug
if (!param)
attr_pop(ATTR_EXPAND);
else
attr_push(ATTR_EXPAND, str);
}
return FALSE;
}

Apparently writing a negative integer to the buffer can trigger the overflow (Minus sign needs an extra byte).

* How to trigger the bug *

$ echo "\expnd-400000000" > poc
$ unrtf poc

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
*** buffer overflow detected ***: unrtf terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
/lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
/lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
unrtf[0x804c7b8]
unrtf[0x804f77d]
unrtf[0x804f9e7]
unrtf[0x804920b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
unrtf[0x804953c]
======= Memory map: ========
08048000-0805b000 r-xp 00000000 08:01 405354 /usr/bin/unrtf
0805b000-0805c000 r--p 00012000 08:01 405354 /usr/bin/unrtf
0805c000-0805d000 rw-p 00013000 08:01 405354 /usr/bin/unrtf
0805d000-08085000 rw-p 00000000 00:00 0
0952d000-0954e000 rw-p 00000000 00:00 0 [heap]
b75ca000-b75e6000 r-xp 00000000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e6000-b75e7000 r--p 0001b000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e7000-b75e8000 rw-p 0001c000 08:01 393233 /usr/lib/i386-linux-gnu/libgcc_s.so.1
b75e8000-b7799000 r-xp 00000000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b7799000-b779b000 r--p 001b0000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b779b000-b779c000 rw-p 001b2000 08:01 395818 /usr/lib/i386-linux-gnu/libc-2.24.so
b779c000-b779f000 rw-p 00000000 00:00 0
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77a6000-b77a8000 r--p 00000000 00:00 0 [vvar]
b77a8000-b77aa000 r-xp 00000000 00:00 0 [vdso]
b77aa000-b77cc000 r-xp 00000000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77cc000-b77cd000 rw-p 00000000 00:00 0
b77cd000-b77ce000 r--p 00022000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
b77ce000-b77cf000 rw-p 00023000 08:01 393914 /usr/lib/i386-linux-gnu/ld-2.24.so
bf992000-bf9b3000 rw-p 00000000 00:00 0 [stack]
Aborted

* Test environment *

Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
libc6 2.24-8

Regards,
Amir


Sent with [ProtonMail](https://protonmail.com) Secure Email.

[Message part 2 (text/html, inline)]

Message #10 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: daved@physiol.usyd.edu.au, Jean-Francois Dockes <jf@dockes.org>

Cc: Skylake <skyl@protonmail.com>, 849705@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Fri, 30 Dec 2016 18:45:23 +0100

Hi Dave,
Hi Jean-Francois,

I got the following bug report, apparrently describing a buffer overflow
in unrtf - which I can reproduce. Do you have a suggestion for a fix?

I'm also CCing debian's security team.

WM

Am 2016-12-30 um 01:44 schrieb Skylake:
> Package: unrtf
> Version: 0.21.9-clean-2
> 
> I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
> functions including: cmd_expand, cmd_emboss and cmd_engrave.
> 
> # convert.c
> 
> static int
> cmd_expand (Word *w, int align, char has_param, int param) {
>      char str[10];
>      if (has_param) {
>          sprintf(str, "%d", param/4); // Overflow, 9-digit negative value 
> triggers the bug
>          if (!param)
>              attr_pop(ATTR_EXPAND);
>          else
>              attr_push(ATTR_EXPAND, str);
>      }
>      return FALSE;
> }
> 
> Apparently writing a negative integer to the buffer can trigger the overflow 
> (Minus sign needs an extra byte).
> 
> * How to trigger the bug *
> 
> $ echo "\expnd-400000000" > poc
> $ unrtf poc
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=utf-8">
> <!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
> *** buffer overflow detected ***: unrtf terminated
> ======= Backtrace: =========
> /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
> /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
> /lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
> /lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
> /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
> /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
> /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
> /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
> unrtf[0x804c7b8]
> unrtf[0x804f77d]
> unrtf[0x804f9e7]
> unrtf[0x804920b]
> /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
> unrtf[0x804953c]
> ======= Memory map: ========
> 08048000-0805b000 r-xp 00000000 08:01 405354     /usr/bin/unrtf
> 0805b000-0805c000 r--p 00012000 08:01 405354     /usr/bin/unrtf
> 0805c000-0805d000 rw-p 00013000 08:01 405354     /usr/bin/unrtf
> 0805d000-08085000 rw-p 00000000 00:00 0
> 0952d000-0954e000 rw-p 00000000 00:00 0          [heap]
> b75ca000-b75e6000 r-xp 00000000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e6000-b75e7000 r--p 0001b000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e7000-b75e8000 rw-p 0001c000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e8000-b7799000 r-xp 00000000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b7799000-b779b000 r--p 001b0000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b779b000-b779c000 rw-p 001b2000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b779c000-b779f000 rw-p 00000000 00:00 0
> b77a3000-b77a6000 rw-p 00000000 00:00 0
> b77a6000-b77a8000 r--p 00000000 00:00 0          [vvar]
> b77a8000-b77aa000 r-xp 00000000 00:00 0          [vdso]
> b77aa000-b77cc000 r-xp 00000000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
> b77cc000-b77cd000 rw-p 00000000 00:00 0
> b77cd000-b77ce000 r--p 00022000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
> b77ce000-b77cf000 rw-p 00023000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
> bf992000-bf9b3000 rw-p 00000000 00:00 0          [stack]
> Aborted
> 
> * Test environment *
> 
> Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
> libc6 2.24-8
> 
> Regards,
> Amir
> 
> Sent with ProtonMail <https://protonmail.com> Secure Email.
> 

Message #15 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Jean-Francois Dockes <jf@dockes.org>

To: Willi Mann <willi@debian.org>

Cc: daved@physiol.usyd.edu.au, Skylake <skyl@protonmail.com>, 849705@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Fri, 30 Dec 2016 19:16:12 +0100

Willi Mann writes:
 > Hi Dave,
 > Hi Jean-Francois,
 > 
 > I got the following bug report, apparrently describing a buffer overflow
 > in unrtf - which I can reproduce. Do you have a suggestion for a fix?
 > 
 > I'm also CCing debian's security team.
 > 
 > WM

I guess that you can just add a package patch to increate the str[] buffer
size, something like

- char str[10];
+ char str[15];

(I'm sure that you could get by with less than 15 but I don't see the
point).

For completeness, sprintf() could be changed to snprintf(), but maybe this
can be left for the next release?

attr_push() does an strdup of the 2nd parameter, so the increased size
should not be an issue there.

I've not tested the change, but I'm foolishly confident that it should fix the
issue. I'll give it a better look in the following days (and also look for
possible other instances of the problem).

jf


 > Am 2016-12-30 um 01:44 schrieb Skylake:
 > > Package: unrtf
 > > Version: 0.21.9-clean-2
 > > 
 > > I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
 > > functions including: cmd_expand, cmd_emboss and cmd_engrave.
 > > 
 > > # convert.c
 > > 
 > > static int
 > > cmd_expand (Word *w, int align, char has_param, int param) {
 > >      char str[10];
 > >      if (has_param) {
 > >          sprintf(str, "%d", param/4); // Overflow, 9-digit negative value 
 > > triggers the bug
 > >          if (!param)
 > >              attr_pop(ATTR_EXPAND);
 > >          else
 > >              attr_push(ATTR_EXPAND, str);
 > >      }
 > >      return FALSE;
 > > }
 > > 
 > > Apparently writing a negative integer to the buffer can trigger the overflow 
 > > (Minus sign needs an extra byte).
 > > 
 > > * How to trigger the bug *
 > > 
 > > $ echo "\expnd-400000000" > poc
 > > $ unrtf poc
 > > 
 > > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 > > <html>
 > > <head>
 > > <meta http-equiv="content-type" content="text/html; charset=utf-8">
 > > <!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
 > > *** buffer overflow detected ***: unrtf terminated
 > > ======= Backtrace: =========
 > > /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
 > > /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
 > > /lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
 > > /lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
 > > /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
 > > /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
 > > /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
 > > /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
 > > unrtf[0x804c7b8]
 > > unrtf[0x804f77d]
 > > unrtf[0x804f9e7]
 > > unrtf[0x804920b]
 > > /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
 > > unrtf[0x804953c]
 > > ======= Memory map: ========
 > > 08048000-0805b000 r-xp 00000000 08:01 405354     /usr/bin/unrtf
 > > 0805b000-0805c000 r--p 00012000 08:01 405354     /usr/bin/unrtf
 > > 0805c000-0805d000 rw-p 00013000 08:01 405354     /usr/bin/unrtf
 > > 0805d000-08085000 rw-p 00000000 00:00 0
 > > 0952d000-0954e000 rw-p 00000000 00:00 0          [heap]
 > > b75ca000-b75e6000 r-xp 00000000 08:01 393233     
 > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
 > > b75e6000-b75e7000 r--p 0001b000 08:01 393233     
 > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
 > > b75e7000-b75e8000 rw-p 0001c000 08:01 393233     
 > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
 > > b75e8000-b7799000 r-xp 00000000 08:01 395818     
 > > /usr/lib/i386-linux-gnu/libc-2.24.so
 > > b7799000-b779b000 r--p 001b0000 08:01 395818     
 > > /usr/lib/i386-linux-gnu/libc-2.24.so
 > > b779b000-b779c000 rw-p 001b2000 08:01 395818     
 > > /usr/lib/i386-linux-gnu/libc-2.24.so
 > > b779c000-b779f000 rw-p 00000000 00:00 0
 > > b77a3000-b77a6000 rw-p 00000000 00:00 0
 > > b77a6000-b77a8000 r--p 00000000 00:00 0          [vvar]
 > > b77a8000-b77aa000 r-xp 00000000 00:00 0          [vdso]
 > > b77aa000-b77cc000 r-xp 00000000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
 > > b77cc000-b77cd000 rw-p 00000000 00:00 0
 > > b77cd000-b77ce000 r--p 00022000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
 > > b77ce000-b77cf000 rw-p 00023000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
 > > bf992000-bf9b3000 rw-p 00000000 00:00 0          [stack]
 > > Aborted
 > > 
 > > * Test environment *
 > > 
 > > Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
 > > libc6 2.24-8
 > > 
 > > Regards,
 > > Amir
 > > 
 > > Sent with ProtonMail <https://protonmail.com> Secure Email.
 > > 
 > 
 > 

Message #20 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: Jean-Francois Dockes <jf@dockes.org>, 849705@bugs.debian.org

Cc: daved@physiol.usyd.edu.au, Skylake <skyl@protonmail.com>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Sat, 31 Dec 2016 15:26:48 +0100

[Message part 1 (text/plain, inline)]

Hi Jean-Francois,

Are you fine with attached patch? I saw that two other cmd_ functions
follow the same pattern, so they are probably also vulnerable, right?

thanks
Willi

Am 2016-12-30 um 19:16 schrieb Jean-Francois Dockes:
> Willi Mann writes:
>  > Hi Dave,
>  > Hi Jean-Francois,
>  > 
>  > I got the following bug report, apparrently describing a buffer overflow
>  > in unrtf - which I can reproduce. Do you have a suggestion for a fix?
>  > 
>  > I'm also CCing debian's security team.
>  > 
>  > WM
> 
> I guess that you can just add a package patch to increate the str[] buffer
> size, something like
> 
> - char str[10];
> + char str[15];
> 
> (I'm sure that you could get by with less than 15 but I don't see the
> point).
> 
> For completeness, sprintf() could be changed to snprintf(), but maybe this
> can be left for the next release?
> 
> attr_push() does an strdup of the 2nd parameter, so the increased size
> should not be an issue there.
> 
> I've not tested the change, but I'm foolishly confident that it should fix the
> issue. I'll give it a better look in the following days (and also look for
> possible other instances of the problem).
> 
> jf
> 
> 
>  > Am 2016-12-30 um 01:44 schrieb Skylake:
>  > > Package: unrtf
>  > > Version: 0.21.9-clean-2
>  > > 
>  > > I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
>  > > functions including: cmd_expand, cmd_emboss and cmd_engrave.
>  > > 
>  > > # convert.c
>  > > 
>  > > static int
>  > > cmd_expand (Word *w, int align, char has_param, int param) {
>  > >      char str[10];
>  > >      if (has_param) {
>  > >          sprintf(str, "%d", param/4); // Overflow, 9-digit negative value 
>  > > triggers the bug
>  > >          if (!param)
>  > >              attr_pop(ATTR_EXPAND);
>  > >          else
>  > >              attr_push(ATTR_EXPAND, str);
>  > >      }
>  > >      return FALSE;
>  > > }
>  > > 
>  > > Apparently writing a negative integer to the buffer can trigger the overflow 
>  > > (Minus sign needs an extra byte).
>  > > 
>  > > * How to trigger the bug *
>  > > 
>  > > $ echo "\expnd-400000000" > poc
>  > > $ unrtf poc
>  > > 
>  > > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>  > > <html>
>  > > <head>
>  > > <meta http-equiv="content-type" content="text/html; charset=utf-8">
>  > > <!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
>  > > *** buffer overflow detected ***: unrtf terminated
>  > > ======= Backtrace: =========
>  > > /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
>  > > /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
>  > > /lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
>  > > /lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
>  > > /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
>  > > /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
>  > > /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
>  > > /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
>  > > unrtf[0x804c7b8]
>  > > unrtf[0x804f77d]
>  > > unrtf[0x804f9e7]
>  > > unrtf[0x804920b]
>  > > /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
>  > > unrtf[0x804953c]
>  > > ======= Memory map: ========
>  > > 08048000-0805b000 r-xp 00000000 08:01 405354     /usr/bin/unrtf
>  > > 0805b000-0805c000 r--p 00012000 08:01 405354     /usr/bin/unrtf
>  > > 0805c000-0805d000 rw-p 00013000 08:01 405354     /usr/bin/unrtf
>  > > 0805d000-08085000 rw-p 00000000 00:00 0
>  > > 0952d000-0954e000 rw-p 00000000 00:00 0          [heap]
>  > > b75ca000-b75e6000 r-xp 00000000 08:01 393233     
>  > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
>  > > b75e6000-b75e7000 r--p 0001b000 08:01 393233     
>  > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
>  > > b75e7000-b75e8000 rw-p 0001c000 08:01 393233     
>  > > /usr/lib/i386-linux-gnu/libgcc_s.so.1
>  > > b75e8000-b7799000 r-xp 00000000 08:01 395818     
>  > > /usr/lib/i386-linux-gnu/libc-2.24.so
>  > > b7799000-b779b000 r--p 001b0000 08:01 395818     
>  > > /usr/lib/i386-linux-gnu/libc-2.24.so
>  > > b779b000-b779c000 rw-p 001b2000 08:01 395818     
>  > > /usr/lib/i386-linux-gnu/libc-2.24.so
>  > > b779c000-b779f000 rw-p 00000000 00:00 0
>  > > b77a3000-b77a6000 rw-p 00000000 00:00 0
>  > > b77a6000-b77a8000 r--p 00000000 00:00 0          [vvar]
>  > > b77a8000-b77aa000 r-xp 00000000 00:00 0          [vdso]
>  > > b77aa000-b77cc000 r-xp 00000000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
>  > > b77cc000-b77cd000 rw-p 00000000 00:00 0
>  > > b77cd000-b77ce000 r--p 00022000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
>  > > b77ce000-b77cf000 rw-p 00023000 08:01 393914     /usr/lib/i386-linux-gnu/ld-2.24.so
>  > > bf992000-bf9b3000 rw-p 00000000 00:00 0          [stack]
>  > > Aborted
>  > > 
>  > > * Test environment *
>  > > 
>  > > Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
>  > > libc6 2.24-8
>  > > 
>  > > Regards,
>  > > Amir
>  > > 
>  > > Sent with ProtonMail <https://protonmail.com> Secure Email.
>  > > 
>  > 
>  > 
> 

[0001-convert.c-Use-safe-buffer-size-and-snprintf.patch (text/x-patch, attachment)]

Message #31 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Willi Mann <willi@debian.org>

Cc: Jean-Francois Dockes <jf@dockes.org>, 849705@bugs.debian.org, daved@physiol.usyd.edu.au, Skylake <skyl@protonmail.com>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Sat, 31 Dec 2016 16:59:28 +0100

Hi,

On Sat, Dec 31, 2016 at 03:26:48PM +0100, Willi Mann wrote:
> Hi Jean-Francois,
> 
> Are you fine with attached patch? I saw that two other cmd_ functions
> follow the same pattern, so they are probably also vulnerable, right?

Thanks for the notice. I have done some minor updates to the bug
(adding tags, and found version for the jessie version).

I have requested a CVE here:

http://www.openwall.com/lists/oss-security/2016/12/31/2

Not sure yet if that would warrant a DSA, possibly it could be updated
via the upcoming point release as well.

Regards,
Salvatore

Message #40 received at 849705-close@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: 849705-close@bugs.debian.org

Subject: Bug#849705: fixed in unrtf 0.21.9-clean-3

Date: Sat, 31 Dec 2016 19:49:28 +0000

Source: unrtf
Source-Version: 0.21.9-clean-3

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <willi@debian.org> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Dec 2016 20:35:19 +0100
Source: unrtf
Binary: unrtf
Architecture: source
Version: 0.21.9-clean-3
Distribution: unstable
Urgency: high
Maintainer: Willi Mann <willi@debian.org>
Changed-By: Willi Mann <willi@debian.org>
Description:
 unrtf      - RTF to other formats converter
Closes: 849705
Changes:
 unrtf (0.21.9-clean-3) unstable; urgency=high
 .
   * Security fix
   * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
     cmd_ functions). closes: 849705
Checksums-Sha1:
 32d22625cf8317479cf66976e3170005ff12868b 1868 unrtf_0.21.9-clean-3.dsc
 1e36bf97457303470410d775e2fd68a1ab53855d 6104 unrtf_0.21.9-clean-3.debian.tar.xz
Checksums-Sha256:
 6e16779899ce765e8cfd015aa03b4b03fdcb84d3bb6ee935097e0943ed8842e5 1868 unrtf_0.21.9-clean-3.dsc
 26b52467952d2a0a030908c0a44121dde69f8005af05faa6511fbf7d5a58487c 6104 unrtf_0.21.9-clean-3.debian.tar.xz
Files:
 3556222cb8ea1f7725fffbcfca1dcf34 1868 text optional unrtf_0.21.9-clean-3.dsc
 a14a89a1c32c664c04dbfa22932a1c7e 6104 text optional unrtf_0.21.9-clean-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYaAihAAoJEIy+IZx0V22B9qgP/RETGnRixEoM4x3RJXMNB76L
XmyQ1TnQWgQNUgwKCRZ31M1sQrhQLT5PYlE1WrXufgK4CERhtIdrAyC3QZoRI9At
NqY8pGcVhyHg00ScG+404w0QKyNdh8YR1EylXLOMhQdBUY7EvnctV+S0xCWHfAIn
8cm6SdAQX1jh7PhNLpg4cDYZOFhqN//VUk5TLsxpb9N0fWRI2DR5O6zwtqmvVjWM
F2MbC4NBNnfltRwk8cA25tdT4fhfdAKeCimY1bAZsTCbkZwOBKpCd6Iy5/iPyOKv
PZEHSnbQtWKhuVs+aCizDXqFOwybEi+K2nnguMwJW90UWe7LkIHKCEHCVvYb5XR+
pa+lOFyt9wDqr8fJeyg7vvwRjN7IXLSqPb93BeqSzRu/sluy3AvDDzVTdQZQsYV+
NkbHk1fBASxmhrqHFKlMzDAy9PSIMtlv6pAwF4QXHvHxe+X0Du/B8zc6X3qTa04v
g/xL30kACknDLs87hLWHqrIMw/MUG0cXGBYCkO+LK+Qph41SiWqLORroSjTMvto8
jYtrHgI7iI9oGod8EyLMyCe9rcpJlrwaqUIO6wn6+RzubLOwb0UzMVolgzOoMoo1
LbMEdqGhlYbA+ZDRX/TMA+VfNTT9Zj+6O+0cOza0DGFTInCzR8vWTq+Si0JwWoMR
F1bh069VSeGa/iSp1Cij
=k1Dr
-----END PGP SIGNATURE-----

Message #45 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 849705@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Sat, 31 Dec 2016 21:15:09 +0100

Hi,

> Not sure yet if that would warrant a DSA, possibly it could be updated
> via the upcoming point release as well.

I pushed a jessie branch to the git repository with the patch from
upstream (some hunks had to be ignored). I also uploaded a patched
version to unstable.

https://anonscm.debian.org/cgit/collab-maint/unrtf.git/log/?h=jessie

Let me know how I should proceed for jessie.

Bye
Willi

Message #50 received at 849705@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Willi Mann <willi@debian.org>, 849705@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#849705: unrtf: Stack buffer overflow

Date: Sun, 1 Jan 2017 08:27:34 +0100

Hi Willi,

On Sat, Dec 31, 2016 at 09:15:09PM +0100, Willi Mann wrote:
> Hi,
> 
> > Not sure yet if that would warrant a DSA, possibly it could be updated
> > via the upcoming point release as well.
> 
> I pushed a jessie branch to the git repository with the patch from
> upstream (some hunks had to be ignored). I also uploaded a patched
> version to unstable.
> 
> https://anonscm.debian.org/cgit/collab-maint/unrtf.git/log/?h=jessie
> 
> Let me know how I should proceed for jessie.

Thanks, seen the unstable upload and updated the tracker information.
For jessie, can you schedule a fix via the upcoming point release? Cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Regards,
Salvatore

Message #55 received at 849705-close@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: 849705-close@bugs.debian.org

Subject: Bug#849705: fixed in unrtf 0.21.5-3+deb8u1

Date: Fri, 06 Jan 2017 23:32:13 +0000

Source: unrtf
Source-Version: 0.21.5-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <willi@debian.org> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Jan 2017 19:50:41 +0100
Source: unrtf
Binary: unrtf
Architecture: source amd64
Version: 0.21.5-3+deb8u1
Distribution: stable
Urgency: medium
Maintainer: Willi Mann <willi@debian.org>
Changed-By: Willi Mann <willi@debian.org>
Description:
 unrtf      - RTF to other formats converter
Closes: 849705
Changes:
 unrtf (0.21.5-3+deb8u1) stable; urgency=medium
 .
   * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
     cmd_ functions) closes: 849705
Checksums-Sha1:
 b509b150de60c9ea4cd2924d3d0c72c7e80ed43c 1857 unrtf_0.21.5-3+deb8u1.dsc
 c44ba70275788c1d47617f794e8a7ef40cc7d0a7 10988 unrtf_0.21.5-3+deb8u1.debian.tar.xz
 4eb6408e75f074ebdd4553bf7c6edb5cef7232f7 44032 unrtf_0.21.5-3+deb8u1_amd64.deb
Checksums-Sha256:
 e3411332e5d511682834157b2e9b2d84cb5a13212fb1efe3563160c7c1aab14c 1857 unrtf_0.21.5-3+deb8u1.dsc
 0dbdd48df60e78b89f986961782ddf7f6dfdd329d78f466bdcce1fbbff5ef958 10988 unrtf_0.21.5-3+deb8u1.debian.tar.xz
 d7c677d1d55ae92f320a7db1eefe7bbe43b247b6db360590187a087bcb0a07be 44032 unrtf_0.21.5-3+deb8u1_amd64.deb
Files:
 3e9b9131efa684f034fe804d4c6f1e09 1857 text optional unrtf_0.21.5-3+deb8u1.dsc
 69ad47869f3577110567de89ee81529c 10988 text optional unrtf_0.21.5-3+deb8u1.debian.tar.xz
 e489a0afa8939a5322355bbea998104e 44032 text optional unrtf_0.21.5-3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYb0hwAAoJEIy+IZx0V22BmcgP/RD3IaV9esHlLKBTVRvIBXvK
XET+XgSZbUrvjZ3oPT2aXK03mhFOg1QF1yszGQHkqbGM4GIjT8koxJOM2pw1Yxlp
i111KZD8FsvLRgMAaehr9PRb7Z8N/2F8CLFu+6LTowMzRfRbT4DZErIWcBlXFsxF
C7wIE9aszAwYZHEC6QhlQf7RMN0bcwBSLAaqijlqx2pMulDsCzFCv/WNmaMyNxuw
F5A3vvhuTF2OF6BCmG1PuBl/4O/igFYYwyN0IrN3hPQAu/tOGoKMCzTV5fp/CQqn
Dbz+QNrRC8bV8I0BwX+ZQtGBRor/4NdcbOXT17rbz/ogCNLkFkhwezL+kjO40fRO
mhcxYgKIeWPniJ7tYSUg68a34yj1lgQ2na8W7N+22cLoz14THjnOdJa+e6Hx8CyW
dKZFPss3m42NbxR73oLMxHEz0NGlFCebvkNJhYtT6Aw7aR3rzwcax5Au9EgyHMV4
/bJMLmE0QwoDBIv7BY9bMFXzhfP1Zm40v9Y1OzCCIXy4y/wVpBgUZXKL9QGVyPZU
z6GCNwmVVrsx1PfS1T/X4mnaz7DZbbIKC51cr8uQ/DE4I+0g+7XB05avoBh9o5Ar
Lm4HZsdMr06PfsvzD4ZoUEuew+/uhb7kCYLrnAr5/pj498RRsemNyeXuMxRxCmEW
hCSIM/+/Qdyej+MuRSMo
=vxM5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.