A CVE has been assigned for a security issue in unrtf: http://openwall.com/lists/oss-security/2016/12/31/3 A patch is being worked on by Debian, but is not yet complete as of right now: https://bugs.debian.org/849705
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
A completed upstream patch has been linked from this message: http://openwall.com/lists/oss-security/2017/01/01/1
An updated package for Cauldron has been submitted. Testing procedure for mga5 might be found here: https://bugs.mageia.org/show_bug.cgi?id=14882#c1 https://bugs.mageia.org/show_bug.cgi?id=14783#c2 Patched package uploaded for Mageia 5. Advisory: ======================== Updated unrtf package fixes security vulnerability: A Stack-based buffer overflow has been found in unrtf 0.21.9, which affects functions including cmd_expand, cmd_emboss and cmd_engrave. References: http://openwall.com/lists/oss-security/2017/01/01/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 ======================== Updated packages in core/updates_testing: ======================== unrtf-0.21.9-1.1.mga5 unrtf-debuginfo-0.21.9-1.1.mga5 from unrtf-0.21.9-1.1.mga5.src.rpm
CC: (none) => mramboVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => has_procedure
Just adding the missing CVE into the advisory... Advisory: ======================== Updated unrtf package fixes security vulnerability: A Stack-based buffer overflow has been found in unrtf 0.21.9, which affects functions including cmd_expand, cmd_emboss and cmd_engrave (CVE-2016-10091). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 http://openwall.com/lists/oss-security/2017/01/01/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
Started looking at this for x86_64. The testing procedure rferred to in comment 3 can be used to show that the package works before and after updating but there is a PoC for the current CVE which seems to trigger the bug before updating anyway. More later.
CC: (none) => tarazed25
Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 The PoC requires a file containing the line \expnd-400000000 Call this poc and attempt to convert it to html. $ unrtf poc <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <!-- Translation from RTF performed by UnRTF, version 0.21.9 --> *** buffer overflow detected ***: unrtf terminated ======= Backtrace: ========= /lib64/libc.so.6(+0x7238e)[0x7f919be3938e] ............ 7fffcf998000-7fffcf99a000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted Update unrtf. Could not locate unrtf-debuginfo. $ unrtf poc <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <!-- Translation from RTF performed by UnRTF, version 0.21.9 --> </head> <body><span style="letter-spacing: -100000000"></span></body> </html>
Found unrtf-debuginfo and installed it from a local rpm. Repeated the PoC test with the same result. Good for 64-bits.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Ran these tests for i586 in virtualbox, installing just unrtf. The poc file gave the same results as the tests in comment 6. Passing this for 32-bits.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Forgot to report the first test on 64-bit machine. Downloaded the sample RTF file provided by Olivier Charles on bug 14783 as indicated in comment 3 here. Running that under unrtf produced an HTML version which displayed correctly in the browser. Repeated that after the update: $ unrtf rtfsampletest.rtf > sampletest.html All OK.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory from comments 3 & 4.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0007.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/710899/