oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: out-of-bounds memory access flaw in unrtf

From: Alexander Cherepanov <cherepan () mccme ru>
Date: Thu, 11 Dec 2014 22:32:19 +0300
On 2014-12-08 18:36, Hanno Böck wrote:

Just to keep people updated on this:


Thanks for this.


Jean-Francois Dockes replied to my bug reports, he's one of the last
people who did work on unrtf and he's in contact with the maintainer.
They'll work on fixing all the issues reported. I also pointed them to
Fabian's patch.

This sounds good, hopefully we'll get a new unrtf release with fixes
for all the known issues soon
0.21.6 is out and seems to incorporate the fixes from Jean-Francois Dockes (with reformatting). Expecting to find security mentioned in ChangeLog or other docs is too much, I guess.
I've fuzzed unrtf with the patch from Fabian Keil a bit and I've found 8 crashes (with different RIP). All of them are fixed in the version by Jean-Francois Dockes (and hence in the release). If someone wants to take a look at them I can upload them somewhere. 

OTOH unrtf seems to be a recursive program:

$ perl -e 'print "{" x 100000' > test.rtf
$ unrtf-0.21.6/src/unrtf -P unrtf-0.21.6/outputs test.rtf
Segmentation fault

--
Alexander Cherepanov
Previous By Date Next
Previous By Thread Next

Current thread: