oss-sec mailing list archives
Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 1 Jan 2017 09:03:26 +0100
Hi, On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three functions including: cmd_expand, cmd_emboss and cmd_engrave.Apparently writing a negative integer to the buffer can trigger the overflow (Minus sign needs an extra byte).https://bugs.debian.org/849705I guess that you can just add a package patch to increate the str[] buffer size, something like - char str[10]; + char str[15];Use CVE-2016-10091 (for all of the 849705 report).
Upstream patch: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 Regards, Salvatore
Current thread:
- Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions Salvatore Bonaccorso (Jan 01)