Bug 14882

Summary: unrtf denial of service issues fixed upstream in 0.21.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629243/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: unrtf-0.21.7-1.mga4.src.rpm CVE:
Status comment:
Attachments: RTF sample test file

Description David Walser 2014-12-23 19:21:05 CET 
Upstream has released 0.21.8 which should fix the remaining crasher issues:
http://openwall.com/lists/oss-security/2014/12/22/4

This is a follow-up to Bug 14783.

Hopefully it also fixes the issue in this post, which hadn't been addressed by the previous update:
http://openwall.com/lists/oss-security/2014/12/11/11

Advisory:
========================

Updated unrtf package fixes security vulnerability:

Hanno Böck also reported a number of other crashes in unrtf besides the ones
associated with CVE-2014-9275.  These could allow a denial of service when
opening a malicious malformed RTF file which causes unrtf to crash.

References:
http://openwall.com/lists/oss-security/2014/12/22/4
========================

Updated package in core/updates_testing:
========================
unrtf-0.21.8-1.mga4

from unrtf-0.21.8-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 olivier charles 2014-12-24 11:57:30 CET 
Created attachment 5758 [details]
RTF sample test file


Testing on Mageia 4x32 real hardware

From current package :
--------------------
unrtf-0.21.7-1.mga4

First with PoC
$ perl -e 'print "{" x 100000' > test2.rtf
$ unrtf test2.rtf
Erreur de segmentation

Then with a rtfsampletest.rtf written in LibreOffice (in attachment)

$ unrtf rtfsampletest.rtf
outputs in html format. If output copied to a html file, opens in browser ok.
$ unrtf --text rtfsampletest.rtf
outputs in ASCII characters

To updated testing package :
--------------------------
unrtf-0.21.8-1.mga4

$ perl -e 'print "{" x 100000' > test3.rtf
$ unrtf test3.rtf 
Warning: Max group depth reached (...)
gives a warning but no segmentation fault.

$ unrtf rtfsampletest.rtf
outputs in html format. If output copied to a html file, opens in browser ok.
$ unrtf --text rtfsampletest.rtf 
###  Translation from RTF performed by UnRTF, version 0.21.8 
### font table contains 13 fonts total
### creation date: 24 December 2014 10:22 
### revision date: 
### last printed: 
### comments: LibreOffice

-----------------
Error (line 71): output personality lacks sufficient font size change capability

It can't output my sample rtf test in ASCII characters anymore.

New version resolves the bug (segfault) but produces a regression on my installation.

CC: (none) => olchal

Comment 2 David Walser 2014-12-24 23:55:38 CET 
Thanks Olivier.

Would you mind reporting the regression upstream?
http://savannah.gnu.org/projects/unrtf/

Whiteboard: (none) => feedback

Comment 3 olivier charles 2014-12-25 20:14:36 CET 
(In reply to David Walser from comment #2)
> Thanks Olivier.
> 
> Would you mind reporting the regression upstream?
> http://savannah.gnu.org/projects/unrtf/

Done David !
Comment 4 David Walser 2014-12-25 22:09:00 CET 
Thanks Olivier!

http://savannah.gnu.org/bugs/?43888
Comment 5 David Walser 2015-01-09 01:16:10 CET 
Regression fixed upstream in 0.21.9.

Freeze push requested for Cauldron.

unrtf-0.21.9-1.mga4 from unrtf-0.21.9-1.mga4.src.rpm uploaded for Mageia 4.

Whiteboard: feedback => (none)

Comment 6 Otto Leipälä 2015-01-09 13:04:50 CET 
Testing done with Mga4 64&32 no issues found i validate this.
Sysadmins push to updates.

CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: (none) => MGA4-64-OK MGA4-32-OK

Otto Leipälä 2015-01-09 13:05:08 CET

Keywords: (none) => validated_update

Comment 7 claire robinson 2015-01-09 16:25:33 CET 
Do you want to add anything to the advisory David?
Comment 8 David Walser 2015-01-09 16:26:28 CET 
No, this one's ready to go.  They do need to push it in Cauldron also.
Comment 9 claire robinson 2015-01-09 16:41:28 CET 
Advisory from comment 0 with srpm from comment 5 uploaded.

Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 10 Mageia Robot 2015-01-09 17:44:44 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0016.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-12 19:25:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/629243/