[sw-issues] [Issue 72615] oowriter crash on document import

frankdelange Fri, 15 Dec 2006 03:20:31 -0800

To comment on the following update, log in, then open the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=72615
                 Issue #|72615
                 Summary|oowriter crash on document import
               Component|Word processor
                 Version|OOo 2.1
                Platform|PC
                     URL|http://www.milw0rm.com/sploits/12122006-djtest.doc
              OS/Version|Linux
                  Status|UNCONFIRMED
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P3
            Subcomponent|open-import
             Assigned to|mru
             Reported by|frankdelange






------- Additional comments from [EMAIL PROTECTED] Fri Dec 15 03:20:30 -0800 
2006 -------
oowriter crashes when trying to import this document:

http://www.milw0rm.com/sploits/12122006-djtest.doc

The document is a proof of concept for an exploitable overflow in Microsoft
Word. It seems to trigger a bug in OO.o as well (possibly also open for 
exploit?)

Here's the trace:

(I)    x.org loaded video driver of...
(II) Loading /usr/lib/xorg/modules/drivers/v4l_drv.so
(II) Loading /usr/lib/xorg/modules/drivers/radeon_drv.so
(II) Loading /usr/lib/xorg/modules/drivers/ati_drv.so
(II) Reloading /usr/lib/xorg/modules/drivers/radeon_drv.so
(III)  Desktop is: GNOME
(IV)   libgcj version is: libgcj-4.1.1-44-i386
(V)    kernel is: Linux 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006
i686 i686 i386
(VI)   OpenOffice.org core rpm version is: openoffice.org-core-2.1.0-6.1-i386
(VII)  depth of root window:    24 planes
(VIII) accessibility is: false
(VIV)  fedora release is: Fedora Core release 6 (Rawhide)
...start free space details ...
...end free space details ...
...start sestatus details ...
SELinux status:                 disabled
...end sestatus details ...
...start stackreport details ...
0x620bef8: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x22ef8
0x620cb8b: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x23b8b
0xd4e420:  + 0x420 (__kernel_sigreturn + 0x0)
0x39e962d: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75062d
0x39f10d0: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7580d0
0x39f11c3: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7581c3
0x39f63e1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75d3e1
0x39a3b60: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ab60
0x39a50a7: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70c0a7
0x39a5a86: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ca86
0x39a5ba1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70cba1
0x38621bf: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x5c91bf
0x3a5df35: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7c4f35
0x7d6e3bc: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x1a23bc
(SfxObjectShell::DoLoad(SfxMedium*) + 0x79c)
0x7dd6283: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x20a283
(SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) + 0x323)
0x7e0c84f: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x24084f
0x2240ca6: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x19fca6
0x22428ba: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a18ba
0x22430a5: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a20a5
0x20e86f3: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x476f3
0x31e8e2f: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x3ee2f
(desktop::DispatchWatcher::executeDispatchRequests(_STL::vector<desktop::DispatchWatcher::DispatchRequest,
_STL::allocator<desktop::DispatchWatcher::DispatchRequest> > const&) + 0x194f)
0x31db671: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x31671
(desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&)
+ 0x151)
0x31d581a: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2b81a
(desktop::Desktop::OpenClients() + 0x14ea)
0x31d6f30: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cf30
(desktop::Desktop::OpenClients_Impl(void*) + 0x50)
0x31d6fe4: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cfe4
(desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) + 0x24)
0x6c013e6: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x28a3e6
0x1d515c: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x4f15c
(SalDisplay::DispatchInternalEvent() + 0xbc)
0x144f71: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xff71
0x144fb1: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xffb1
0x859491: /lib/libglib-2.0.so.0 + 0x29491
0x85b1f2: /lib/libglib-2.0.so.0 + 0x2b1f2 (g_main_context_dispatch + 0x182)
0x85e1cf: /lib/libglib-2.0.so.0 + 0x2e1cf
0x85e735: /lib/libglib-2.0.so.0 + 0x2e735 (g_main_context_iteration + 0x65)
0x146e81: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0x11e81
0x1dfdb7: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x59db7
(X11SalInstance::Yield(bool, bool) + 0x37)
0x6a0e988: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97988
(Application::Yield(bool) + 0x68)
0x6a0ea5c: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97a5c
(Application::Execute() + 0x3c)
0x31d0ab9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x26ab9
(desktop::Desktop::Main() + 0x1779)
0x6a144dc: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d4dc
0x6a145e5: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d5e5 (SVMain()
+ 0x35)
0x31c18f9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x178f9 (sal_main
+ 0x59)
0x31c1984: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x17984 (main + 
0x44)
0x575e5c: /lib/libc.so.6 + 0x15e5c (__libc_start_main + 0xdc)
0x80484c1: /usr/lib/openoffice.org2.1/program/swriter.bin + 0x4c1
...end stackreport details ...
...start sample ldd details ...
...end sample ldd details ...

I have not run gdb on this crash but someone else did:

 (from a Slashdot posting, he used OO.o 2.0.4)

 "...The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter
(). EIP may not have been overwritten; the value points into what appears to be
a valid function (i.e. not the stack or heap):

eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487"

I used the current Fedora core development distribution of OO.o for the
backtrace, based on openoffice.org-2.1.0-6.1.src.rpm

---------------------------------------------------------------------
Please do not reply to this automatically generated notification from
Issue Tracker. Please log onto the website and enter your comments.
http://qa.openoffice.org/issue_handling/project_issues.html#notification

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[sw-issues] [Issue 72615] oowriter crash on document import

Reply via email to