oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 1 Jan 2017 09:03:26 +0100
Hi,

On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign () mitre org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I've found a Stack-based buffer overflow in unrtf 0.21.9, which
affects three functions including: cmd_expand, cmd_emboss and
cmd_engrave.



Apparently writing a negative integer to the buffer can trigger the
overflow (Minus sign needs an extra byte).



https://bugs.debian.org/849705



I guess that you can just add a package patch to increate the str[] buffer
size, something like

- char str[10];
+ char str[15];


Use CVE-2016-10091 (for all of the 849705 report).


Upstream patch:
http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: