[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913702: marked as done (libwpd: CVE-2018-19208)

Your message dated Wed, 14 Nov 2018 20:47:38 +0000
with message-id <E1gN24Y-000BG6-TB@fasolo.debian.org>
and subject line Bug#913702: fixed in libwpd 0.10.2-3
has caused the Debian Bug report #913702,
regarding libwpd: CVE-2018-19208
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
913702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913702
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: libwpd
Version: 0.10.2-2
Severity: important
Tags: upstream security

Hi,

The following vulnerability was published for libwpd.

CVE-2018-19208[0]:
| In libwpd 0.10.2, there is a NULL pointer dereference in the function
| WP6ContentListener::defineTable in WP6ContentListener.cpp that will
| lead to a denial of service attack. This is related to WPXTable.h.

I do not know if it was reported to upstream or only in Red Hat bugzilla.

==25333== Memcheck, a memory error detector
==25333== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==25333== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==25333== Command: wpd2html ./poc0-1
==25333==
==25333== Invalid read of size 8
==25333==    at 0x488C37A: operator[] (WPXTable.h:89)
==25333==    by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333==    by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333==    by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333==    by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333==    by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333==    by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333==    by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333==    by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333==    by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333==    by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333==    by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333==    by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25333==
==25333==
==25333== Process terminating with default action of signal 11 (SIGSEGV)
==25333==  Access not within mapped region at address 0x0
==25333==    at 0x488C37A: operator[] (WPXTable.h:89)
==25333==    by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314)
==25333==    by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149)
==25333==    by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783)
==25333==    by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226)
==25333==    by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415)
==25333==    by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198)
==25333==    by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888)
==25333==    by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797)
==25333==    by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423)
==25333==    by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138)
==25333==    by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83)
==25333==    by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225)
==25333==  If you believe this happened as a result of a stack
==25333==  overflow in your program's main thread (unlikely but
==25333==  possible), you can try to increase the size of the
==25333==  main thread stack using the --main-stacksize= flag.
==25333==  The main thread stack size used in this run was 8388608.
==25333==
==25333== HEAP SUMMARY:
==25333==     in use at exit: 39,843 bytes in 1,012 blocks
==25333==   total heap usage: 9,446 allocs, 8,434 frees, 879,851 bytes allocated
==25333==
==25333== LEAK SUMMARY:
==25333==    definitely lost: 40 bytes in 1 blocks
==25333==    indirectly lost: 16 bytes in 1 blocks
==25333==      possibly lost: 0 bytes in 0 blocks
==25333==    still reachable: 39,787 bytes in 1,010 blocks
==25333==         suppressed: 0 bytes in 0 blocks
==25333== Rerun with --leak-check=full to see details of leaked memory
==25333==
==25333== For counts of detected and suppressed errors, rerun with: -v
==25333== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19208
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19208
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1643752
[2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: libwpd
Source-Version: 0.10.2-3

We believe that the bug you reported is fixed in the latest version of
libwpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated libwpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 Nov 2018 21:16:15 +0100
Source: libwpd
Binary: libwpd-dev libwpd-0.10-10 libwpd-tools libwpd-doc
Architecture: source
Version: 0.10.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
 libwpd-0.10-10 - Library for handling WordPerfect documents (shared library)
 libwpd-dev - Library for handling WordPerfect documents (development)
 libwpd-doc - Library for handling WordPerfect documents (documentation)
 libwpd-tools - Tools from libwpd for converting WordPerfect to HTML/RAW/Text
Closes: 913702
Changes:
 libwpd (0.10.2-3) unstable; urgency=medium
 .
   * debian/patches/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch:
     add from Fedora to fix CVE-2018-19208 (closes: #913702)
Checksums-Sha1:
 b36cf29b4282267bbfddfdda29664e0918e40d4a 2052 libwpd_0.10.2-3.dsc
 a8ae8a82ce72a7296290e5b43487fbedc4ae7567 12032 libwpd_0.10.2-3.debian.tar.xz
 4bfecb1118d4c160a0ffaa60a51de508ebfb5868 6159 libwpd_0.10.2-3_source.buildinfo
Checksums-Sha256:
 9218ddb4c1721c3ab91cb3cfc3fe3339dda38f4e217a27d2befe5b3b2b475cbd 2052 libwpd_0.10.2-3.dsc
 49599cfdcdff48742f056d9b8acf4f881b5c37101411f004ac88ba7654eb60c1 12032 libwpd_0.10.2-3.debian.tar.xz
 39336aa749b989c168916a6b42465cc4bc95e31cdbd16443ded7ead9d3954204 6159 libwpd_0.10.2-3_source.buildinfo
Files:
 fdd6916e07d39f91e0eb70878341a45f 2052 devel optional libwpd_0.10.2-3.dsc
 e25089208db9cb72f49b46228dcb6925 12032 devel optional libwpd_0.10.2-3.debian.tar.xz
 bc7a709d7895c28a0ccd3d4c61b48e51 6159 devel optional libwpd_0.10.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAlvshCMACgkQCqBFcdA+
PnBRMg/+P62HdSouxZ1r0CqdGRPfYblLptieNwCQES3lVa+GJrySpNHaQQIi2YMk
20k8/IJ4pBgfjgtAGRwlmP8Z7snUIR+P6JJCQm3bSpyWACMCDV6dZXnv4JX9IVRj
x7d8PIwF60er6Fwyc/G0oydOdtw7PwRg7uxQ+ZDIeiODUVL7duDTGgec0HmG2d3p
04na5Y1a/oajJP2WWtFvgL2HopCf8fa3yhx9XqSlxXDrsE1Oa0Uhi1Digo104RlN
54QBMTyvZNxITrH2iQhcZ0HmdT0DghZwYSwbT1sFZFnxaJYqb2nGYzUhsLodwpiV
WSYNIKm3DcBRczkDpLL+n18SuunguP3fRH8bNfpYCYf24mjHrmQyO3UmnIGeqfG9
2kdm2Ui+HBA9ZkI/8Q+6e+Nlr806VpYSJFjdCuX5Igc5Xo/352LUofEz9WWrN3hU
HWYUR16+yjdC75feNsziPPsvOh0bfxfVJYrgQfHG9QsVoa6AIo12bO+hQ7nJSQ3Y
yw5AX0gtms5V13oYt2mjGzmfueM1lWXBgRp7TTcFyABmXuZ7kB4pcV6GAkXyH532
ULVgf6RF+7Mdod0/TpgR2VSRMm7VLH8N651gCVETHy5yLy6cNw+EhhSmVxZtU1AS
1vs3++vAGqsvqVFMZnHxEnLGag312SID9U8CBxClee42eBN3XVY=
=lFBW
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: