[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913702: libwpd: CVE-2018-19208

Source: libwpd
Version: 0.10.2-2
Severity: important
Tags: upstream security

Hi,

The following vulnerability was published for libwpd.

CVE-2018-19208[0]:
| In libwpd 0.10.2, there is a NULL pointer dereference in the function
| WP6ContentListener::defineTable in WP6ContentListener.cpp that will
| lead to a denial of service attack. This is related to WPXTable.h.

I do not know if it was reported to upstream or only in Red Hat bugzilla.

==25333== Memcheck, a memory error detector
==25333== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==25333== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==25333== Command: wpd2html ./poc0-1
==25333==
==25333== Invalid read of size 8
==25333==    at 0x488C37A: operator[] (WPXTable.h:89)
==25333==    by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333==    by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333==    by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333==    by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333==    by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333==    by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333==    by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333==    by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333==    by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333==    by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333==    by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333==    by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25333==
==25333==
==25333== Process terminating with default action of signal 11 (SIGSEGV)
==25333==  Access not within mapped region at address 0x0
==25333==    at 0x488C37A: operator[] (WPXTable.h:89)
==25333==    by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333==    by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333==    by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333==    by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333==    by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333==    by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333==    by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333==    by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333==    by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333==    by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333==    by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333==    by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333==  If you believe this happened as a result of a stack
==25333==  overflow in your program's main thread (unlikely but
==25333==  possible), you can try to increase the size of the
==25333==  main thread stack using the --main-stacksize= flag.
==25333==  The main thread stack size used in this run was 8388608.
==25333==
==25333== HEAP SUMMARY:
==25333==     in use at exit: 39,843 bytes in 1,012 blocks
==25333==   total heap usage: 9,446 allocs, 8,434 frees, 879,851 bytes allocated
==25333==
==25333== LEAK SUMMARY:
==25333==    definitely lost: 40 bytes in 1 blocks
==25333==    indirectly lost: 16 bytes in 1 blocks
==25333==      possibly lost: 0 bytes in 0 blocks
==25333==    still reachable: 39,787 bytes in 1,010 blocks
==25333==         suppressed: 0 bytes in 0 blocks
==25333== Rerun with --leak-check=full to see details of leaked memory
==25333==
==25333== For counts of detected and suppressed errors, rerun with: -v
==25333== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19208
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19208
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1643752
[2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
Reply to: