Package: wvVersion: 1.2.9-5Severity: graveJustification: renders package unusable and may threaten users privacy if exploitedRun the following instructions on a Debian 12 64bit to trigger a SEGFAULT:$ sudo apt-get update$ sudo apt-get upgrade$ sudo apt-get install wv$ wvConvert z_wvGetGrpXst.dxx(the proof-of-concept file is attached)Error returned:Errore di segmentazione(it's the Italian for "segfault")Valgrind output[..]==7692== Invalid write of size 8==7692== at 0x487F714: wvGetGrpXst (in /usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)==7692== by 0x488B759: wvDecodeComplex (in /usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)==7692== by 0x488C9FE: wvText (in /usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)==7692== by 0x1093F3: ??? (in /usr/bin/wvConvert)==7692== by 0x4917249: (below main) (libc_start_call_main.h:58)==7692== Address 0xfffffffffffffff8 is not stack'd, malloc'd or (recently) free'dGDB Backtrace#0 0x00007ffff7f41714 in wvGetGrpXst () from /lib/x86_64-linux-gnu/libwv-1.2.so.4#1 0x00007ffff7f4d75a in wvDecodeComplex () from /lib/x86_64-linux-gnu/libwv-1.2.so.4#2 0x00007ffff7f4e9ff in wvText () from /lib/x86_64-linux-gnu/libwv-1.2.so.4#3 0x00005555555553f4 in ?? ()#4 0x00007ffff7d6a24a in __libc_start_call_main (main=main@entry=0x555555555210, argc=argc@entry=2,argv=argv@entry=0x7fffffffe138) at ../sysdeps/nptl/libc_start_call_main.h:58#5 0x00007ffff7d6a305 in __libc_start_main_impl (main=0x555555555210, argc=2, argv=0x7fffffffe138, init=<optimized out>,fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:360#6 0x00005555555555f1 in ?? ()wv package depends on:libc6libglib2.0-0libgsf-1-114libwmf-0.2-7libwmflite-0.2-7libwv-1.2-4Kernel/arch in use:Linux debian-test 6.1.0-35-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.137-1 (2025-05-07) x86_64 GNU/LinuxHardware used in the test:Intel Core i7 11700K8Gb ram(VM on Oracle Virtualbox on the host with 32Gb ram)Best regards, Gipoco.
Attachment:
z_wvGetGrpXst.dxx
Description: Binary data