CVEs have been assigned for some crashing issues in unrtf: http://openwall.com/lists/oss-security/2014/12/04/15 The issues have been fixed upstream in 0.21.6: http://openwall.com/lists/oss-security/2014/12/11/11 Update checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Advisory to come later. For now, see the thread linked in Comment 0. unrtf-0.21.6-1.mga4 from unrtf-0.21.6-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
Testing on Mageia4x32 real hardware From current package : ---------------------- unrtf-0.21.2-3.mga4 with sample.rtf found on web $ unrtf sample.rtf copied the output in sample.html and verified it was ok in browser $ unrtf --text sample.rtf which gave output in ASCII text mode Trying to reproduce PoCs found in Description : $ echo '{\cb-999999999' >x $ unrtf x Produces a segmentation fault $ perl -e 'print "{" x 100000' > test.rtf $ unrtf test.rtf Produces a segmentation fault To updated testing package : -------------------------- unrtf-0.21.6-1.mga4 Tried with sample.rtf as before : OK $ echo '{\cb-999999999' >x2 $ unrtf x2 No segmentation fault anymore. $ perl -e 'print "{" x 100000' > test2.rtf $ unrtf test2.rtf Erreur de segmentation Updated testing package does not solve security bug here. --------------------------------------------------------
CC: (none) => olchal
Thanks for the procedure Olivier. I can reproduce the segfault with the second PoC indeed, adding the feedback marker for now.
CC: (none) => remiWhiteboard: (none) => has_procedure feedback
@David: There seems to be a 0.21.7 version upstream, published 3 days after 0.21.6: http://ftp.gnu.org/gnu/unrtf/ The changelog is not really helpful since it seems messed up (no reference to the security issues that should have been fixed by 0.21.6): --- 0.21.6: - improved man page - improved USAGE string - fix to attr.c for clang compilation 0.21.7: - improved code for creation of image files when RTF files containing images processed - prevent segmentation violations with RTF input containing corrupt \info content --- I built it locally (cauldron) and can still reproduce the segfault with: $ perl -e 'print "{" x 100000' > test2.rtf $ unrtf test2.rtf
Thanks Rémi. Olivier confirmed that "echo '{\cb-999999999' >x" is fixed, and that is CVE-2014-9274. The PoC for the CVE-2014-9275 issues is the tarball linked here: https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html I don't believe the "perl -e 'print "{" x 100000'" issue has a CVE or a fix yet. I've asked for a freeze push for 0.21.7 and will push it for Mageia 4 once that's done.
unrtf-0.21.7-1.mga4 is uploaded. Please test :o)
Whiteboard: has_procedure feedback => has_procedure
Further testing on Mageia4x32 real hardware With current unrtf-0.21.2-3.mga4 : -------------------------------- using the tarball mentionned by David in Comment 5 (https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html) where I found 5 files (+logfiles). The 2 last files created segmentation faults, the 3 others giving no problem. Updated to latest testing package : --------------------------------- unrtf-0.21.7-1.mga4.i586 None of the files found in tarball gave segfaults anymore. $ echo '{\cb-999999999' >x2 $ unrtf x2 No segmentation fault $ perl -e 'print "{" x 100000' > test2.rtf $ unrtf test2.rtf Still a segmentation fault but I understand it was expected since that bug isn't adressed in present package. $ unrtf sample.rtf (from file found on the web from my previous testing) still worked OK So this is OK, keeping in mind that this package solves all but one issue and produces no regression from my testing.
Adding the OK from Olivier's test in comment 7.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
MGA4-64 on HP Probook 6555b Confirm results of handling files x2 and sapmle.rtf as in Comment 7
CC: (none) => herman.viaene
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
This one needs an advisory please too
Advisory: ======================== Updated unrtf package fixes security vulnerabilities: Michal Zalewski reported an out-of-bounds memory access vulnerability in unrtf. Processing a malformed RTF file could lead to a segfault while accessing a pointer that may be under the attacker's control. This would lead to a denial of service (application crash) or, potentially, the execution of arbitrary code (CVE-2014-9274). Hanno Böck also reported a number of other crashes in unrtf (CVE-2014-9275). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9275 https://bugzilla.redhat.com/show_bug.cgi?id=1170233
Thanks, uploaded as above with srpm from comment 6 Validating. Could sysadmin please push to 4 updates Thanks
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0533.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
FYI, I'm waiting for a freeze push in Cauldron for 0.21.8. I believe it's supposed to fix the remaining issue.
URL: (none) => http://lwn.net/Vulnerabilities/627408/