Your message dated Mon, 03 Dec 2012 19:02:30 +0000 with message-id <[email protected]> and subject line Bug#692076: fixed in catdoc 0.94.4-1.1 has caused the Debian Bug report #692076, regarding catdoc: Extra ';' turns for loop into a buffer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 692076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692076 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: catdoc Version: 0.94.3-1 Severity: serious Tags: patch, security src/xlsparse.c contains: for (i=0;i<NUMOFDATEFORMATS; i++); FormatIdxUsed[i]=0; The ';' at the end of the first line shouldn't be there. It results in the code doing the same as: i = NUMOFDATEFORMATS; FormatIdxUsed[i]=0; And FormatIdxUsed has NUMOFDATEFORMATS elements, which start from 0 so FormatIdxUsed[NUMOFDATEFORMATS] is writing off the end of the buffer. That's undefined behaviour in C and a security issue, though whether it's usefully exploitable in the current binary packages depends what happens to be put in memory after it. But an obvious use case for catdoc is viewing attachments you get sent or files you download, so it seems wise to assume this could be exploited unless proved otherwise, so I've tagged this "security" and set the severity to "serious". Patch attached. I'm happy to NMU a fix (at least assuming I can work around #692073), so let me know if you'd like me to. Cheers, Olly -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages catdoc depends on: ii libc6 2.13-35 catdoc recommends no packages. Versions of packages catdoc suggests: ii tk 8.5.0-2 ii tk8.4 [wish] 8.4.19-5 ii tk8.5 [wish] 8.5.11-2 -- no debconf information
--- End Message ---
--- Begin Message ---Source: catdoc Source-Version: 0.94.4-1.1 We believe that the bug you reported is fixed in the latest version of catdoc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Neil Williams <[email protected]> (supplier of updated catdoc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 03 Dec 2012 18:22:47 +0000 Source: catdoc Binary: catdoc Architecture: source amd64 Version: 0.94.4-1.1 Distribution: unstable Urgency: low Maintainer: Nick Bane <[email protected]> Changed-By: Neil Williams <[email protected]> Description: catdoc - MS-Word to TeX or plain text converter Closes: 692073 692076 Changes: catdoc (0.94.4-1.1) unstable; urgency=low . * Non-maintainer upload. * New upstream release to remove .pc subdirectory from the orig tarball (Closes: #692073). Includes updating version strings in generated manpages. * Remove extra ';' in src/xlsparse.c which turned for loop in xlsparse into a buffer overflow (Closes: #692076), applies patch by Olly Betts <[email protected]>. Checksums-Sha1: ddac77822dcd7a52814e5198d9ba6103449f87e5 1660 catdoc_0.94.4-1.1.dsc 26c9addb221543288c013ecadf4f6fb0c9eca13e 679156 catdoc_0.94.4.orig.tar.gz c20e6fbfcb7626a6364105c917908cbb9c501d9f 6737 catdoc_0.94.4-1.1.debian.tar.gz 452b1fa274f0e3ad578b1923c37aad09334e7141 650036 catdoc_0.94.4-1.1_amd64.deb Checksums-Sha256: df4acb56d57d30d9aac033dca98a0120e6431ff96f2b317bdfc5d73abaeb8c87 1660 catdoc_0.94.4-1.1.dsc c06fd69d2a218fcc2ed1320988cef07a67cf5555a12f25752766d746e25758ee 679156 catdoc_0.94.4.orig.tar.gz e1db6aad9433d6d18933634e803aa89f0bc9c13cf1fae811dc84779029f0b616 6737 catdoc_0.94.4-1.1.debian.tar.gz 130513f8439f8ceb416c3d180c117367e84220fe4bd4ad5ed3071c5e08b3ae2f 650036 catdoc_0.94.4-1.1_amd64.deb Files: 09b0edb76101f096538a5c7aeb379e62 1660 text optional catdoc_0.94.4-1.1.dsc 4820680e3611392caf2b4dd2413bfae5 679156 text optional catdoc_0.94.4.orig.tar.gz 0a4802437bf6d9bcb21cce19f96dd175 6737 text optional catdoc_0.94.4-1.1.debian.tar.gz c6767577170098eda6eed6cd07b67d1b 650036 text optional catdoc_0.94.4-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQvPWMAAoJEPFn5DyBQ7aC8G4QAJUvinCIci4PyZn+VOv8Ko1r xlCBoYEhZL6sSAh383KJkxvHAoNmqio9I5ytbPG073RUDLUklTWIUv+MC8ftsAo2 rRSmnBIQVqVH3zv9KYms7hc7ml7u9Hq7KU2F6lzGdgOvgbXkdGG28BZ2w3sfV3hN lCMRXzWr7x6Lx5MA8fiL1KGQ2COMEvGgpjQcwvDdcaefXz1iUefh+aPC64SPvBJX fiDnrBeWKexXPVwhm3hNGm658nXnRa3zsBsNjlue9aGdvCQ8oa0hE4bC02Sodf54 WUtFUvWPWo1T66vqwHXvP8MmFyHpLTfVtyTD1H+H7P7vp3Mi+Fjp7hyWcK4m44wK XNFM6U11YsssmEbvYkmRexE1+2vKqHVADST8hIg84+nE6hTyFodAntrI5AeV+imO o1LT6dIC9dep0HMIxPQ8+hHVeNVqoFV3dtBPBV7+HthhPj0ph/Ze0rwFRkLJ5V9k KnlT9pfSktWr1C1G8s0CZOUkrLNzRbeb1HAfN4i/8O/7l7EAv/S9L5/oC7LwSEqy EujRizdBXdkaSNsPJQnEN4u7PRMUqhHs61IYit1kVrld1HnrsjZSw9Jr3GYdke+H 4xiTtymkgFkpPJ5NUuzkVAEM2Wyx2iFBpdSWGTZAytyC23NzFMhm97YqRAciTrMP 396mixthDLxZFvLKVfy0 =IOC0 -----END PGP SIGNATURE-----
--- End Message ---
