Bug 14783 - unrtf new security issues CVE-2014-9274 and CVE-2014-9275
Summary: unrtf new security issues CVE-2014-9274 and CVE-2014-9275
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627408/
Whiteboard: has_procedure advisory MGA4-32-OK MG...
Keywords: validated_update
Depends on:
Reported: 2014-12-11 21:09 CET by David Walser
Modified: 2014-12-23 18:29 CET (History)
4 users (show)

See Also:
Source RPM: unrtf-0.21.5-3.mga5.src.rpm
Status comment:


Description David Walser 2014-12-11 21:09:05 CET
CVEs have been assigned for some crashing issues in unrtf:

The issues have been fixed upstream in 0.21.6:

Update checked into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.


Steps to Reproduce:
David Walser 2014-12-11 21:09:14 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-12-14 13:41:23 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory to come later.  For now, see the thread linked in Comment 0.


from unrtf-0.21.6-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 2 olivier charles 2014-12-14 18:06:48 CET
Testing on Mageia4x32 real hardware

From current package : 


with sample.rtf found on web

$ unrtf sample.rtf
copied the output in sample.html and verified it was ok in browser
$ unrtf --text sample.rtf
which gave output in ASCII text mode

Trying to reproduce PoCs found in Description :

$ echo '{\cb-999999999' >x
$ unrtf x
Produces a segmentation fault

$ perl -e 'print "{" x 100000' > test.rtf
$ unrtf test.rtf
Produces a segmentation fault

To updated testing package :


Tried with sample.rtf as before : OK

$ echo '{\cb-999999999' >x2
$ unrtf x2
No segmentation fault anymore.

$ perl -e 'print "{" x 100000' > test2.rtf
$ unrtf test2.rtf 
Erreur de segmentation

Updated testing package does not solve security bug here.

CC: (none) => olchal

Comment 3 Rémi Verschelde 2014-12-14 18:25:05 CET
Thanks for the procedure Olivier.

I can reproduce the segfault with the second PoC indeed, adding the feedback marker for now.

CC: (none) => remi
Whiteboard: (none) => has_procedure feedback

Comment 4 Rémi Verschelde 2014-12-14 18:40:35 CET
@David: There seems to be a 0.21.7 version upstream, published 3 days after 0.21.6: http://ftp.gnu.org/gnu/unrtf/

The changelog is not really helpful since it seems messed up (no reference to the security issues that should have been fixed by 0.21.6):

      - improved man page
      - improved USAGE string
      - fix to attr.c for clang compilation
      - improved code for creation of image files when RTF files containing
        images processed
      - prevent segmentation violations with RTF input containing corrupt
        \info content

I built it locally (cauldron) and can still reproduce the segfault with:
$ perl -e 'print "{" x 100000' > test2.rtf
$ unrtf test2.rtf
Comment 5 David Walser 2014-12-15 22:05:41 CET
Thanks Rémi.

Olivier confirmed that "echo '{\cb-999999999' >x" is fixed, and that is CVE-2014-9274.

The PoC for the CVE-2014-9275 issues is the tarball linked here:

I don't believe the "perl -e 'print "{" x 100000'" issue has a CVE or a fix yet.

I've asked for a freeze push for 0.21.7 and will push it for Mageia 4 once that's done.
Comment 6 David Walser 2014-12-16 13:29:19 CET
unrtf-0.21.7-1.mga4 is uploaded.  Please test :o)

Whiteboard: has_procedure feedback => has_procedure

Comment 7 olivier charles 2014-12-16 14:40:13 CET
Further testing on Mageia4x32 real hardware

With current unrtf-0.21.2-3.mga4 :

using the tarball mentionned by David in Comment 5
where I found 5 files (+logfiles).
The 2 last files created segmentation faults, the 3 others giving no problem.

Updated to latest testing package :

None of the files found in tarball gave segfaults anymore.

$ echo '{\cb-999999999' >x2
$ unrtf x2
No segmentation fault

$ perl -e 'print "{" x 100000' > test2.rtf
$ unrtf test2.rtf 
Still a segmentation fault but I understand it was expected since that bug isn't adressed in present package.

$ unrtf sample.rtf
(from file found on the web from my previous testing)
still worked OK

So this is OK, keeping in mind that this package solves all but one issue and produces no regression from my testing.
Comment 8 Rémi Verschelde 2014-12-16 20:49:09 CET
Adding the OK from Olivier's test in comment 7.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 9 Herman Viaene 2014-12-18 15:12:08 CET
MGA4-64 on HP Probook 6555b
Confirm results of handling files x2 and sapmle.rtf as in Comment 7

CC: (none) => herman.viaene

Herman Viaene 2014-12-18 15:12:27 CET

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 10 claire robinson 2014-12-18 22:34:08 CET
This one needs an advisory please too
Comment 11 David Walser 2014-12-18 22:45:05 CET

Updated unrtf package fixes security vulnerabilities:

Michal Zalewski reported an out-of-bounds memory access vulnerability in
unrtf.  Processing a malformed RTF file could lead to a segfault while
accessing a pointer that may be under the attacker's control.  This would
lead to a denial of service (application crash) or, potentially, the
execution of arbitrary code (CVE-2014-9274).

Hanno Böck also reported a number of other crashes in unrtf (CVE-2014-9275).

Comment 12 claire robinson 2014-12-18 23:03:55 CET
Thanks, uploaded as above with srpm from comment 6


Could sysadmin please push to 4 updates


Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2014-12-19 16:07:19 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Comment 14 David Walser 2014-12-23 18:29:02 CET
FYI, I'm waiting for a freeze push in Cauldron for 0.21.8.  I believe it's supposed to fix the remaining issue.

URL: (none) => http://lwn.net/Vulnerabilities/627408/

Note You need to log in before you can comment on or make changes to this bug.