Bug 20052

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

A completed upstream patch has been linked from this message:
http://openwall.com/lists/oss-security/2017/01/01/1

An updated package for Cauldron has been submitted.

Testing procedure for mga5 might be found here:
https://bugs.mageia.org/show_bug.cgi?id=14882#c1
https://bugs.mageia.org/show_bug.cgi?id=14783#c2


Patched package uploaded for Mageia 5.

Advisory:
========================

Updated unrtf package fixes security vulnerability:

A Stack-based buffer overflow has been found in unrtf 0.21.9, which
affects functions including cmd_expand, cmd_emboss and cmd_engrave.

References:
http://openwall.com/lists/oss-security/2017/01/01/1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
========================

Updated packages in core/updates_testing:
========================
unrtf-0.21.9-1.1.mga5
unrtf-debuginfo-0.21.9-1.1.mga5

from unrtf-0.21.9-1.1.mga5.src.rpm

CC: (none) => mrambo
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Just adding the missing CVE into the advisory...

Advisory:
========================

Updated unrtf package fixes security vulnerability:

A Stack-based buffer overflow has been found in unrtf 0.21.9, which affects
functions including cmd_expand, cmd_emboss and cmd_engrave (CVE-2016-10091).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
http://openwall.com/lists/oss-security/2017/01/01/1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705

Started looking at this for x86_64.  The testing procedure rferred to in comment 3 can be used to show that the package works before and after updating but there is a PoC for the current CVE which seems to trigger the bug before updating anyway.  More later.

CC: (none) => tarazed25

Reference:  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
The PoC requires a file containing the line
\expnd-400000000

Call this poc and attempt to convert it to html.
$ unrtf poc
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
*** buffer overflow detected ***: unrtf terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7238e)[0x7f919be3938e]
............
7fffcf998000-7fffcf99a000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Update unrtf.  Could not locate unrtf-debuginfo.

$ unrtf poc
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
</head>
<body><span style="letter-spacing: -100000000"></span></body>
</html>

Found unrtf-debuginfo and installed it from a local rpm.  Repeated the PoC test with the same result.  Good for 64-bits.

Ran these tests for i586 in virtualbox, installing just unrtf.
The poc file gave the same results as the tests in comment 6.

Passing this for 32-bits.

Forgot to report the first test on 64-bit machine.  
Downloaded the sample RTF file provided by Olivier Charles on bug 14783 as indicated in comment 3 here.  Running that under unrtf produced an HTML version which displayed correctly in the browser.

Repeated that after the update:
$ unrtf rtfsampletest.rtf > sampletest.html

All OK.

Advisory from comments 3 & 4.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0007.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED