oss-sec mailing list archives
Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions
From: <cve-assign () mitre org>
Date: Sat, 31 Dec 2016 12:12:14 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three functions including: cmd_expand, cmd_emboss and cmd_engrave.
Apparently writing a negative integer to the buffer can trigger the overflow (Minus sign needs an extra byte).
https://bugs.debian.org/849705
I guess that you can just add a package patch to increate the str[] buffer size, something like - char str[10]; + char str[15];
Use CVE-2016-10091 (for all of the 849705 report). - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYZ+YzAAoJEHb/MwWLVhi2I1wQAKZleo2oQTznb6H4Ktghax2F jJ8ZchpRw9miiQogbGzSHNVFOiR5Ap0O9Kxusy9ndflduYur3Q3ipdLrONVnR+Tp RMMRNfBcWZi3g3DI6q10WeJ1jswoz2wYljICYIZWAHULvj34Y8Gj8fpFqq8Wr4SQ TBDSyF4RyXRNgwBaYiT3VeHQgbYwz7krzLTytmllQ+I8eG9Ehi4p4eNYLKLvUqqL 5zNTnAresR9GytTl2uCyWJN9c+IBr18lZ3BbYnYY9EJZztZLnIRbQPF7mp1ZV4M3 d5xmq2Ota/vl/xUVpn42tq7ZR2tqnKvCOah0aCZsQTBz3MWmajITaAKH6tW8uvdy xxzvDvhN6YFdafrWBfZREdiJab6zprK5P5ErpDoj3/WJukMYVGOmCJWky8JuBI7i tT7OElaJOUoAk0VrcZoWKAGlxrNjQXbfCBUn+xawUgeLYBmUMlBFeoBg1XpZDpl/ 4iuwY55s0nOq+JTtvNswl1uDRh4lJI2JQYm4KNCC6sFgWnuXitTkWUYw+K5vndnX XXLTUj7KoPbg67Q4kKYS7J8wEJxAXFQ6WJZklfzQ0Y81IDuFJMGCyaBnljy2NN84 0uCUp3J39jGFk34j4/HiBFEcBxj1YfBEGuCKfjSj/Ey/to6ECqTR2AhF1TSwfhpt uvY0H3jZ2y/XLDXoUiGr =K2dj -----END PGP SIGNATURE-----
Current thread:
- CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions Salvatore Bonaccorso (Dec 31)
- Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions cve-assign (Dec 31)