| Summary: | unrtf new security issues CVE-2014-9274 and CVE-2014-9275 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/627408/ | ||
| Whiteboard: | has_procedure advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | unrtf-0.21.5-3.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-11 21:09:05 CET
David Walser
2014-12-11 21:09:14 CET
Whiteboard:
(none) =>
MGA4TOO Updated packages uploaded for Mageia 4 and Cauldron. Advisory to come later. For now, see the thread linked in Comment 0. unrtf-0.21.6-1.mga4 from unrtf-0.21.6-1.mga4.src.rpm Version:
Cauldron =>
4
Testing on Mageia4x32 real hardware
From current package :
----------------------
unrtf-0.21.2-3.mga4
with sample.rtf found on web
$ unrtf sample.rtf
copied the output in sample.html and verified it was ok in browser
$ unrtf --text sample.rtf
which gave output in ASCII text mode
Trying to reproduce PoCs found in Description :
$ echo '{\cb-999999999' >x
$ unrtf x
Produces a segmentation fault
$ perl -e 'print "{" x 100000' > test.rtf
$ unrtf test.rtf
Produces a segmentation fault
To updated testing package :
--------------------------
unrtf-0.21.6-1.mga4
Tried with sample.rtf as before : OK
$ echo '{\cb-999999999' >x2
$ unrtf x2
No segmentation fault anymore.
$ perl -e 'print "{" x 100000' > test2.rtf
$ unrtf test2.rtf
Erreur de segmentation
Updated testing package does not solve security bug here.
--------------------------------------------------------CC:
(none) =>
olchal Thanks for the procedure Olivier. I can reproduce the segfault with the second PoC indeed, adding the feedback marker for now. CC:
(none) =>
remi @David: There seems to be a 0.21.7 version upstream, published 3 days after 0.21.6: http://ftp.gnu.org/gnu/unrtf/ The changelog is not really helpful since it seems messed up (no reference to the security issues that should have been fixed by 0.21.6): --- 0.21.6: - improved man page - improved USAGE string - fix to attr.c for clang compilation 0.21.7: - improved code for creation of image files when RTF files containing images processed - prevent segmentation violations with RTF input containing corrupt \info content --- I built it locally (cauldron) and can still reproduce the segfault with: $ perl -e 'print "{" x 100000' > test2.rtf $ unrtf test2.rtf Thanks Rémi.
Olivier confirmed that "echo '{\cb-999999999' >x" is fixed, and that is CVE-2014-9274.
The PoC for the CVE-2014-9275 issues is the tarball linked here:
https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html
I don't believe the "perl -e 'print "{" x 100000'" issue has a CVE or a fix yet.
I've asked for a freeze push for 0.21.7 and will push it for Mageia 4 once that's done.
unrtf-0.21.7-1.mga4 is uploaded. Please test :o) Whiteboard:
has_procedure feedback =>
has_procedure Further testing on Mageia4x32 real hardware With current unrtf-0.21.2-3.mga4 : -------------------------------- using the tarball mentionned by David in Comment 5 (https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html) where I found 5 files (+logfiles). The 2 last files created segmentation faults, the 3 others giving no problem. Updated to latest testing package : --------------------------------- unrtf-0.21.7-1.mga4.i586 None of the files found in tarball gave segfaults anymore. $ echo '{\cb-999999999' >x2 $ unrtf x2 No segmentation fault $ perl -e 'print "{" x 100000' > test2.rtf $ unrtf test2.rtf Still a segmentation fault but I understand it was expected since that bug isn't adressed in present package. $ unrtf sample.rtf (from file found on the web from my previous testing) still worked OK So this is OK, keeping in mind that this package solves all but one issue and produces no regression from my testing. Adding the OK from Olivier's test in comment 7. Whiteboard:
has_procedure =>
has_procedure MGA4-32-OK MGA4-64 on HP Probook 6555b Confirm results of handling files x2 and sapmle.rtf as in Comment 7 CC:
(none) =>
herman.viaene
Herman Viaene
2014-12-18 15:12:27 CET
Whiteboard:
has_procedure MGA4-32-OK =>
has_procedure MGA4-32-OK MGA4-64-OK This one needs an advisory please too Advisory: ======================== Updated unrtf package fixes security vulnerabilities: Michal Zalewski reported an out-of-bounds memory access vulnerability in unrtf. Processing a malformed RTF file could lead to a segfault while accessing a pointer that may be under the attacker's control. This would lead to a denial of service (application crash) or, potentially, the execution of arbitrary code (CVE-2014-9274). Hanno Böck also reported a number of other crashes in unrtf (CVE-2014-9275). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9275 https://bugzilla.redhat.com/show_bug.cgi?id=1170233 Thanks, uploaded as above with srpm from comment 6 Validating. Could sysadmin please push to 4 updates Thanks Whiteboard:
has_procedure MGA4-32-OK MGA4-64-OK =>
has_procedure advisory MGA4-32-OK MGA4-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0533.html Resolution:
(none) =>
FIXED FYI, I'm waiting for a freeze push in Cauldron for 0.21.8. I believe it's supposed to fix the remaining issue. URL:
(none) =>
http://lwn.net/Vulnerabilities/627408/ |