Your message dated Wed, 20 Apr 2005 02:00:19 -0700 with message-id <[EMAIL PROTECTED]> and subject line CAN-2005-0941: "OpenOffice DOC document Heap Overflow" has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 13 Apr 2005 12:08:48 +0000 >From [EMAIL PROTECTED] Wed Apr 13 05:08:47 2005 Return-path: <[EMAIL PROTECTED]> Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DLgfn-0002lm-00; Wed, 13 Apr 2005 05:08:47 -0700 Received: from p54893e8f.dip.t-dialin.net ([84.137.62.143] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1DLgfl-0005px-Ba for [EMAIL PROTECTED]; Wed, 13 Apr 2005 14:08:46 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.50) id 1DLgfg-0002cF-AI; Wed, 13 Apr 2005 14:08:40 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: openoffice.org: Invalid range checking in DOC header parsing leading to possible heap overflow X-Mailer: reportbug 3.9 Date: Wed, 13 Apr 2005 14:08:39 +0200 Message-Id: <[EMAIL PROTECTED]> X-SA-Exim-Connect-IP: 84.137.62.143 X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: openoffice.org Version: 1.1.3-8 Severity: grave Tags: security Justification: user security hole Lee Xioajun <[EMAIL PROTECTED]> reported an issue with invalid input checks in DOC header parsing, which can possibly be exploited with remote code execution. I'm including his advisory verbose, as I could not find a WWW reference for it. The relevant issue #s seems to be 46276 and 46388. It's supposed to be fixed upstream, but I couldn't find it in the plethora of CVS modules and subprojects. Cheers, Moritz OpenOffice DOC document Heap Overflow [Security Advisory] Advisory:[AD_LAB-05001] OpenOffice DOC document Heap Overflow Class: Design Error DATE:30/3/2005 CVEID:CAN-2005-0941 Vulnerable: <=OpenOffice OpenOffice 1.1.4 -OpenOffice OpenOffice 2.0dev Unvulnerable: Unknow Vendor: www.openoffice.org I.DESCRIPTION: ------------- OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities. The vulnerability is caused due to a error within the .Doc document header processing.This can be exploited to cause a heap-based buffer overflow. II.DETAILS: ---------- There is a vulnerability in StgCompObjStream::Load() function, When reading DOC document information of format,memory is allocated by DOC provide length. DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate memory, but when reading doc information,still use the 32 bits number as length,this maybe cause heap overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code excute . BOOL StgCompObjStream::Load() { memset( &aClsId, 0, sizeof( ClsId ) ); nCbFormat = 0; aUserName.Erase(); if( GetError() != SVSTREAM_OK ) return FALSE; Seek( 8L ); INT32 nMarker = 0; *this >> nMarker; if( nMarker == -1L ) { *this >> aClsId; INT32 nLen1 = 0; *this >> nLen1; // we can control this 32 bits int sal_Char* p = new sal_Char[ (USHORT) nLen1 ]; //use low 16 bits value to allocate memory if( Read( p, nLen1 ) == (ULONG) nLen1 ) //still use 32 bits int as length,if failed, // will goto free step,maybe cause write pointer. { aUserName = String( p, gsl_getSystemTextEncoding() ); .... nCbFormat = ReadClipboardFormat( *this ); } else SetError( SVSTREAM_GENERALERROR ); delete [] p; //free step,heap overflow cause write pointer. } return BOOL( GetError() == SVSTREAM_OK ); } example: if we provide 0x10000018 to nLen1,will allocate 0x18 length memory, Read( p, nLen1 ) still use 0x10000018 as length,then, read will fail, but readed length is bigger than allocated memory,and overwrite the next chunk. when goto delete [] p;,write pointer happened. we had triggered this problem successful. StartOffice maybe affected too. did not test. III.CREDIT: ---------- AD-LAB discovery this vuln:) Vulnerability analysis and advisory by A1rsupp1y. Special thanks to xalan's discussion. Thank to Sam,icbm,liangbin and all Venustech AD-Lab guys:P. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2005 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages openoffice.org depends on: ii dictionaries-common [openof 0.25.3 Common utilities for spelling dict ii openoffice.org-bin 1.1.2dfsg1-2 OpenOffice.org office suite binary ii openoffice.org-debian-files 1.1.2-5+1 Debian specific parts of OpenOffic ii openoffice.org-l10n-de [ope 1.1.2dfsg1-2 German language package for OpenOf ii openoffice.org-l10n-en [ope 1.1.2dfsg1-2 English (US) language package for ii ttf-opensymbol 1.1.3-8 The OpenSymbol TrueType font -- no debconf information --------------------------------------- Received: (at 304412-done) by bugs.debian.org; 20 Apr 2005 09:00:19 +0000 >From [EMAIL PROTECTED] Wed Apr 20 02:00:19 2005 Return-path: <[EMAIL PROTECTED]> Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DOB4F-0003KY-00; Wed, 20 Apr 2005 02:00:19 -0700 Received: by localhost.localdomain (Postfix, from userid 1000) id 3BA05172A57; Wed, 20 Apr 2005 02:00:19 -0700 (PDT) Date: Wed, 20 Apr 2005 02:00:19 -0700 From: Steve Langasek <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: CAN-2005-0941: "OpenOffice DOC document Heap Overflow" Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eAbsdosE1cNLO4uF" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --eAbsdosE1cNLO4uF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, OOo 1.1.3-9 has been built on all architectures now, and (barring any sudden new uploads of the package between now and dinstall) will make its way into testing tomorrow. Cheers, --=20 Steve Langasek postmodern programmer --eAbsdosE1cNLO4uF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCZhoeKN6ufymYLloRAkj1AKDDRrS3uxP+MNkKWIHamrY8LkFp3wCgxDh0 R+KqIRPny5km/MBIUXsI76M= =DvfO -----END PGP SIGNATURE----- --eAbsdosE1cNLO4uF-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]