Re: CVE-2006-2197: integer overflow in wv2
Hi,
The wv2 packages are now maintained by the Debian Qt/KDE team. To the
Debian Qt/KDE people (who are CCed): please see Joey's message below.
Ben.
On Wed, Jun 14, 2006 at 10:32:04AM +0200, Martin Schulze wrote:
> A boundary checking error has been discovered in wv2, a library for
> accessing Microsoft Word documents, which can lead to an integer
> overflow induced by processing word files.
>
> Please
> . update the package in sid
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
> . use urgency=high
>
> Regards,
>
> Joey
>
> --
> The good thing about standards is that there are so many to choose from.
> -- Andrew S. Tanenbaum
> diff -u wv2-0.2.2/debian/changelog wv2-0.2.2/debian/changelog
> --- wv2-0.2.2/debian/changelog
> +++ wv2-0.2.2/debian/changelog
> @@ -1,3 +1,11 @@
> +wv2 (0.2.2-1sarge1) stable-security; urgency=high
> +
> + * Non-maintainer upload by the Security Team
> + * Applied upstream patch to fix boundary check error [src/word_helper.h,
> + CVE-2006-2197]
> +
> + -- Martin Schulze <joey@infodrom.org> Mon, 12 Jun 2006 15:19:58 +0200
> +
> wv2 (0.2.2-1) unstable; urgency=low
>
> * New upstream bugfix release.
> only in patch2:
> unchanged:
> --- wv2-0.2.2.orig/src/word_helper.h
> +++ wv2-0.2.2/src/word_helper.h
> @@ -552,8 +552,12 @@
> const U8 tmp = m_fkp.m_rgb[ m_index ].offset;
> // Now we have to calculate the real offset and then locate it
> // within our cached array...
> - if ( tmp != 0 )
> - return &m_fkp.m_fkp[ tmp * 2 - m_fkp.m_internalOffset ];
> + if ( tmp != 0 ) {
> + const int pos = tmp * 2 - m_fkp.m_internalOffset;
> + if (pos < 0 || pos >= 511 - m_fkp.m_internalOffset)
> + return 0;
> + return &m_fkp.m_fkp[ pos ];
> + }
> }
> return 0;
> }
Reply to: