Debian Bug report logs -
#913702
libwpd: CVE-2018-19208
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 14 Nov 2018 07:21:02 UTC
Severity: important
Tags: security, upstream
Found in version libwpd/0.10.2-2
Fixed in version libwpd/0.10.2-3
Done: Rene Engelhard <rene@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>:
Bug#913702; Package src:libwpd.
(Wed, 14 Nov 2018 07:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>.
(Wed, 14 Nov 2018 07:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libwpd
Version: 0.10.2-2
Severity: important
Tags: upstream security
Hi,
The following vulnerability was published for libwpd.
CVE-2018-19208[0]:
| In libwpd 0.10.2, there is a NULL pointer dereference in the function
| WP6ContentListener::defineTable in WP6ContentListener.cpp that will
| lead to a denial of service attack. This is related to WPXTable.h.
I do not know if it was reported to upstream or only in Red Hat bugzilla.
==25333== Memcheck, a memory error detector
==25333== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==25333== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==25333== Command: wpd2html ./poc0-1
==25333==
==25333== Invalid read of size 8
==25333== at 0x488C37A: operator[] (WPXTable.h:89)
==25333== by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333== by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333== by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333== by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333== by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333== by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333== by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333== by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333== by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333== by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333== by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333== by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25333==
==25333==
==25333== Process terminating with default action of signal 11 (SIGSEGV)
==25333== Access not within mapped region at address 0x0
==25333== at 0x488C37A: operator[] (WPXTable.h:89)
==25333== by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333== by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333== by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333== by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333== by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333== by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333== by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333== by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333== by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333== by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333== by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333== by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333== If you believe this happened as a result of a stack
==25333== overflow in your program's main thread (unlikely but
==25333== possible), you can try to increase the size of the
==25333== main thread stack using the --main-stacksize= flag.
==25333== The main thread stack size used in this run was 8388608.
==25333==
==25333== HEAP SUMMARY:
==25333== in use at exit: 39,843 bytes in 1,012 blocks
==25333== total heap usage: 9,446 allocs, 8,434 frees, 879,851 bytes allocated
==25333==
==25333== LEAK SUMMARY:
==25333== definitely lost: 40 bytes in 1 blocks
==25333== indirectly lost: 16 bytes in 1 blocks
==25333== possibly lost: 0 bytes in 0 blocks
==25333== still reachable: 39,787 bytes in 1,010 blocks
==25333== suppressed: 0 bytes in 0 blocks
==25333== Rerun with --leak-check=full to see details of leaked memory
==25333==
==25333== For counts of detected and suppressed errors, rerun with: -v
==25333== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19208
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1643752
[2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#913702.
(Wed, 14 Nov 2018 20:27:07 GMT) (full text, mbox, link).
Message #8 received at 913702-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #913702 in libwpd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/libreoffice-team/document-liberation/libwpd/commit/035a0dcf4d58f15d1fb5d458862b3bc85355fc4a
------------------------------------------------------------------------
add from Fedora to fix CVE-2018-19208 (closes: #913702)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/913702
Added tag(s) pending.
Request was from Rene Engelhard <rene@debian.org>
to 913702-submitter@bugs.debian.org.
(Wed, 14 Nov 2018 20:27:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>:
Bug#913702; Package src:libwpd.
(Wed, 14 Nov 2018 20:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rene Engelhard <rene@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>.
(Wed, 14 Nov 2018 20:33:03 GMT) (full text, mbox, link).
Message #15 received at 913702@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, Nov 14, 2018 at 08:19:05AM +0100, Salvatore Bonaccorso wrote:
> [2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
Will apply, thanks.
> Please adjust the affected versions in the BTS as needed.
Assuming stable was affected, I assume it's the same as last time and
this should go over p-u and not -security (since "only" DOS)?
Regards,
Rene
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>:
Bug#913702; Package src:libwpd.
(Wed, 14 Nov 2018 20:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>.
(Wed, 14 Nov 2018 20:51:08 GMT) (full text, mbox, link).
Message #20 received at 913702@bugs.debian.org (full text, mbox, reply):
Hi Rene,
On Wed, Nov 14, 2018 at 09:22:04PM +0100, Rene Engelhard wrote:
> Hi,
>
> On Wed, Nov 14, 2018 at 08:19:05AM +0100, Salvatore Bonaccorso wrote:
> > [2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
>
> Will apply, thanks.
Thanks!
> > Please adjust the affected versions in the BTS as needed.
>
> Assuming stable was affected, I assume it's the same as last time and
> this should go over p-u and not -security (since "only" DOS)?
Yes defintively, we already marked it as 'no-dsa'. So agree it does
not warrant a DSA and can be safely updates via p-u.
Thanks for your work!
Regards,
Salvatore
Reply sent
to Rene Engelhard <rene@debian.org>:
You have taken responsibility.
(Wed, 14 Nov 2018 20:51:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 14 Nov 2018 20:51:10 GMT) (full text, mbox, link).
Message #25 received at 913702-close@bugs.debian.org (full text, mbox, reply):
Source: libwpd
Source-Version: 0.10.2-3
We believe that the bug you reported is fixed in the latest version of
libwpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated libwpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 14 Nov 2018 21:16:15 +0100
Source: libwpd
Binary: libwpd-dev libwpd-0.10-10 libwpd-tools libwpd-doc
Architecture: source
Version: 0.10.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
libwpd-0.10-10 - Library for handling WordPerfect documents (shared library)
libwpd-dev - Library for handling WordPerfect documents (development)
libwpd-doc - Library for handling WordPerfect documents (documentation)
libwpd-tools - Tools from libwpd for converting WordPerfect to HTML/RAW/Text
Closes: 913702
Changes:
libwpd (0.10.2-3) unstable; urgency=medium
.
* debian/patches/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch:
add from Fedora to fix CVE-2018-19208 (closes: #913702)
Checksums-Sha1:
b36cf29b4282267bbfddfdda29664e0918e40d4a 2052 libwpd_0.10.2-3.dsc
a8ae8a82ce72a7296290e5b43487fbedc4ae7567 12032 libwpd_0.10.2-3.debian.tar.xz
4bfecb1118d4c160a0ffaa60a51de508ebfb5868 6159 libwpd_0.10.2-3_source.buildinfo
Checksums-Sha256:
9218ddb4c1721c3ab91cb3cfc3fe3339dda38f4e217a27d2befe5b3b2b475cbd 2052 libwpd_0.10.2-3.dsc
49599cfdcdff48742f056d9b8acf4f881b5c37101411f004ac88ba7654eb60c1 12032 libwpd_0.10.2-3.debian.tar.xz
39336aa749b989c168916a6b42465cc4bc95e31cdbd16443ded7ead9d3954204 6159 libwpd_0.10.2-3_source.buildinfo
Files:
fdd6916e07d39f91e0eb70878341a45f 2052 devel optional libwpd_0.10.2-3.dsc
e25089208db9cb72f49b46228dcb6925 12032 devel optional libwpd_0.10.2-3.debian.tar.xz
bc7a709d7895c28a0ccd3d4c61b48e51 6159 devel optional libwpd_0.10.2-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAlvshCMACgkQCqBFcdA+
PnBRMg/+P62HdSouxZ1r0CqdGRPfYblLptieNwCQES3lVa+GJrySpNHaQQIi2YMk
20k8/IJ4pBgfjgtAGRwlmP8Z7snUIR+P6JJCQm3bSpyWACMCDV6dZXnv4JX9IVRj
x7d8PIwF60er6Fwyc/G0oydOdtw7PwRg7uxQ+ZDIeiODUVL7duDTGgec0HmG2d3p
04na5Y1a/oajJP2WWtFvgL2HopCf8fa3yhx9XqSlxXDrsE1Oa0Uhi1Digo104RlN
54QBMTyvZNxITrH2iQhcZ0HmdT0DghZwYSwbT1sFZFnxaJYqb2nGYzUhsLodwpiV
WSYNIKm3DcBRczkDpLL+n18SuunguP3fRH8bNfpYCYf24mjHrmQyO3UmnIGeqfG9
2kdm2Ui+HBA9ZkI/8Q+6e+Nlr806VpYSJFjdCuX5Igc5Xo/352LUofEz9WWrN3hU
HWYUR16+yjdC75feNsziPPsvOh0bfxfVJYrgQfHG9QsVoa6AIo12bO+hQ7nJSQ3Y
yw5AX0gtms5V13oYt2mjGzmfueM1lWXBgRp7TTcFyABmXuZ7kB4pcV6GAkXyH532
ULVgf6RF+7Mdod0/TpgR2VSRMm7VLH8N651gCVETHy5yLy6cNw+EhhSmVxZtU1AS
1vs3++vAGqsvqVFMZnHxEnLGag312SID9U8CBxClee42eBN3XVY=
=lFBW
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>:
Bug#913702; Package src:libwpd.
(Wed, 14 Nov 2018 21:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>.
(Wed, 14 Nov 2018 21:51:03 GMT) (full text, mbox, link).
Message #30 received at 913702@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 14, 2018 at 09:50:19PM +0100, Salvatore Bonaccorso wrote:
> Hi Rene,
>
> On Wed, Nov 14, 2018 at 09:22:04PM +0100, Rene Engelhard wrote:
> > Hi,
> >
> > On Wed, Nov 14, 2018 at 08:19:05AM +0100, Salvatore Bonaccorso wrote:
> > > [2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch
> >
> > Will apply, thanks.
>
> Thanks!
>
> > > Please adjust the affected versions in the BTS as needed.
> >
> > Assuming stable was affected, I assume it's the same as last time and
> > this should go over p-u and not -security (since "only" DOS)?
>
> Yes defintively, we already marked it as 'no-dsa'. So agree it does
> not warrant a DSA and can be safely updates via p-u.
Yeah, it's hardly even a security issue, otherwise we'd have to
treat every LO crash a security bug :-)
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Dec 2018 07:25:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:25:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon