Bug#1008092: antiword: Buffer overflow in the vAnalyseSummaryInfo function in summary.c in Antiword 0.37
Control: tag -1 +moreinfo
Control: severity -1 normal
On Thu, Mar 24, 2022 at 04:00:23AM +, Olly Betts wrote:
> On Tue, Mar 22, 2022 at 06:56:23PM +0800, Jieyong Ma @ tdhxkj.com wrote:
> > Backtraces:
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at
> > summary.c:225
> > 225 switch (tPropID) {
>
> That seems a surprising line to segfault on as there's no dereference
> happening. Maybe optimisation has lead to misleading debug line numbers
> though.
>
> > (gdb) bt
> > #0 0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001")
> > at summary.c:225
> > #1 vSetSummaryInfoOLE (pFile=0x68f2e0, pFile@entry=0x37,
> > pPPS=0x7fffbb10, pPPS@entry=0x68f2e0, aulBBD=0x68fb00,
> > aulBBD@entry=0x7fffbb80, tBBDLen=55, tBBDLen@entry=37,
> > aulSBD=aulSBD@entry=0x68fe80, tSBDLen=tSBDLen@entry=2)
> > at summary.c:628
> > #2 0x00449bcf in vSet8SummaryInfo (pFile=0xff7f013c,
> > pFile@entry=0x68f2e0, pPPS=0x692a08, pPPS@entry=0x7fffbb10, aulBBD=0xb,
> > aulBBD@entry=0x68fb00, tBBDLen=10, tBBDLen@entry=55, aulSBD=0x692820,
> > aulSBD@entry=0x68fe80,
> > tSBDLen=29113347658312010, tSBDLen@entry=2, aucHeader=0x2 > Cannot access memory at address 0x2>) at summary.c:686
> > #3 0x00442126 in vGetPropertyInfo (pFile=pFile@entry=0x68f2e0,
> > pPPS=0x7fffbb10, pPPS@entry=0x7fffbb00,
> > aulBBD=aulBBD@entry=0x68fb00, tBBDLen=, tBBDLen@entry=55,
> > aulSBD=0x68fe80, aulSBD@entry=0x68fb00,
> > tSBDLen=2, tSBDLen@entry=0, aucHeader=0x7fffbb80 "\354\245\301",
> > iWordVersion=8) at properties.c:145
> > #4 0x00458464 in iInitDocumentOLE (pFile=,
> > pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
> > wordole.c:792
> > #5 0x004552fb in iInitDocument (pFile=,
> > pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
> > wordlib.c:325
> > #6 0x0044ce1f in bWordDecryptor (pFile=pFile@entry=0x68f2e0,
> > lFilesize=lFilesize@entry=28672, pDiag=0x68fac0) at word2text.c:665
> > #7 0x00403ef3 in bProcessFile (szFilename=) at
> > main_u.c:214
> > #8 main (argc=2, argv=0x7fffe558) at main_u.c:310
> >
> > Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2064638
>
> "Red Hat Bugzilla – Bug Access Denied"
I still can't access this bug report.
I assume that's where `vAnalyseSummaryInfo.poc.doc` can be found (you
didn't attach it to this bug report), so all I have to go on is the
backtrace which points to a line where there's no dereference.
There aren't any patches in Fedora that we don't have an equivalent of,
except for antiword-0.32-fix-flags.patch which isn't relevant to us:
https://src.fedoraproject.org/rpms/antiword/tree/rawhide
There doesn't seem to be a CVE for this (only ones from 2005 and 2014):
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=antiword
So as it stands, I don't see I can do anything useful with your report.
> There's no active upstream for antiword so someone needs to come up with
> a patch. If someone already has that'd be helpful (and better for the
> various Linux distros to all use the same fix than each come up with
> their own).
This is also very much still true.
Tagging appropriately. I've lowered the severity since failing to
process a single example file is not "a bug which has a major effect on
the usability of a package, without rendering it completely unusable to
everyone".
As best I can make out this is a segfault while reading, so there
doesn't seem there's a security implication either.
Cheers,
Olly
Bug#1008092: antiword: Buffer overflow in the vAnalyseSummaryInfo function in summary.c in Antiword 0.37
On Tue, Mar 22, 2022 at 06:56:23PM +0800, Jieyong Ma @ tdhxkj.com wrote:
> Backtraces:
> Program received signal SIGSEGV, Segmentation fault.
> 0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at
> summary.c:225
> 225 switch (tPropID) {
That seems a surprising line to segfault on as there's no dereference
happening. Maybe optimisation has lead to misleading debug line numbers
though.
> (gdb) bt
> #0 0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at
> summary.c:225
> #1 vSetSummaryInfoOLE (pFile=0x68f2e0, pFile@entry=0x37,
> pPPS=0x7fffbb10, pPPS@entry=0x68f2e0, aulBBD=0x68fb00,
> aulBBD@entry=0x7fffbb80, tBBDLen=55, tBBDLen@entry=37,
> aulSBD=aulSBD@entry=0x68fe80, tSBDLen=tSBDLen@entry=2)
> at summary.c:628
> #2 0x00449bcf in vSet8SummaryInfo (pFile=0xff7f013c,
> pFile@entry=0x68f2e0, pPPS=0x692a08, pPPS@entry=0x7fffbb10, aulBBD=0xb,
> aulBBD@entry=0x68fb00, tBBDLen=10, tBBDLen@entry=55, aulSBD=0x692820,
> aulSBD@entry=0x68fe80,
> tSBDLen=29113347658312010, tSBDLen@entry=2, aucHeader=0x2 access memory at address 0x2>) at summary.c:686
> #3 0x00442126 in vGetPropertyInfo (pFile=pFile@entry=0x68f2e0,
> pPPS=0x7fffbb10, pPPS@entry=0x7fffbb00, aulBBD=aulBBD@entry=0x68fb00,
> tBBDLen=, tBBDLen@entry=55, aulSBD=0x68fe80,
> aulSBD@entry=0x68fb00,
> tSBDLen=2, tSBDLen@entry=0, aucHeader=0x7fffbb80 "\354\245\301",
> iWordVersion=8) at properties.c:145
> #4 0x00458464 in iInitDocumentOLE (pFile=,
> pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
> wordole.c:792
> #5 0x004552fb in iInitDocument (pFile=,
> pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
> wordlib.c:325
> #6 0x0044ce1f in bWordDecryptor (pFile=pFile@entry=0x68f2e0,
> lFilesize=lFilesize@entry=28672, pDiag=0x68fac0) at word2text.c:665
> #7 0x00403ef3 in bProcessFile (szFilename=) at
> main_u.c:214
> #8 main (argc=2, argv=0x7fffe558) at main_u.c:310
>
> Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2064638
"Red Hat Bugzilla – Bug Access Denied"
There's no active upstream for antiword so someone needs to come up with
a patch. If someone already has that'd be helpful (and better for the
various Linux distros to all use the same fix than each come up with
their own).
Cheers,
Olly
Bug#1008092: antiword: Buffer overflow in the vAnalyseSummaryInfo function in summary.c in Antiword 0.37
Package: antiword
Version: 0.37-16
Severity: important
X-Debbugs-Cc: jieyong...@gmail.com
Dear Maintainer,
Description of problem:
antiword crashes with the provided doc file
How reproducible:
antiword vAnalyseSummaryInfo.poc.doc
Backtraces:
Program received signal SIGSEGV, Segmentation fault.
0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at
summary.c:225
225 switch (tPropID) {
(gdb) bt
#0 0x00449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at
summary.c:225
#1 vSetSummaryInfoOLE (pFile=0x68f2e0, pFile@entry=0x37, pPPS=0x7fffbb10,
pPPS@entry=0x68f2e0, aulBBD=0x68fb00, aulBBD@entry=0x7fffbb80, tBBDLen=55,
tBBDLen@entry=37, aulSBD=aulSBD@entry=0x68fe80, tSBDLen=tSBDLen@entry=2)
at summary.c:628
#2 0x00449bcf in vSet8SummaryInfo (pFile=0xff7f013c,
pFile@entry=0x68f2e0, pPPS=0x692a08, pPPS@entry=0x7fffbb10, aulBBD=0xb,
aulBBD@entry=0x68fb00, tBBDLen=10, tBBDLen@entry=55, aulSBD=0x692820,
aulSBD@entry=0x68fe80,
tSBDLen=29113347658312010, tSBDLen@entry=2, aucHeader=0x2 ) at summary.c:686
#3 0x00442126 in vGetPropertyInfo (pFile=pFile@entry=0x68f2e0,
pPPS=0x7fffbb10, pPPS@entry=0x7fffbb00, aulBBD=aulBBD@entry=0x68fb00,
tBBDLen=, tBBDLen@entry=55, aulSBD=0x68fe80,
aulSBD@entry=0x68fb00,
tSBDLen=2, tSBDLen@entry=0, aucHeader=0x7fffbb80 "\354\245\301",
iWordVersion=8) at properties.c:145
#4 0x00458464 in iInitDocumentOLE (pFile=,
pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
wordole.c:792
#5 0x004552fb in iInitDocument (pFile=,
pFile@entry=0x68f2e0, lFilesize=, lFilesize@entry=28672) at
wordlib.c:325
#6 0x0044ce1f in bWordDecryptor (pFile=pFile@entry=0x68f2e0,
lFilesize=lFilesize@entry=28672, pDiag=0x68fac0) at word2text.c:665
#7 0x00403ef3 in bProcessFile (szFilename=) at
main_u.c:214
#8 main (argc=2, argv=0x7fffe558) at main_u.c:310
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2064638
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-12-amd64 (SMP w/4 CPU threads)
Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8),
LANGUAGE=zh_CN:zh
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages antiword depends on:
ii libc6 2.31-13+deb11u2
antiword recommends no packages.
antiword suggests no packages.
-- no debconf information
