Bug 118546 (CVE-2005-2971)

Summary: VUL-0: CVE-2005-2971: koffice rtf import filter vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: dmueller, mls, security-team, wstephenson
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2971: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2005-09-23 07:50:19 UTC 
From: Chris Evans <scarybeasts@gmail.com> 
Reply-To: Chris Evans <scarybeasts@gmail.com> 
To: vendor-sec@lst.de, security@kde.org 
Subject: [vendor-sec] Koffice RTF import vulnerability 
Errors-To: vendor-sec-admin@lst.de 
Date: Thu, 22 Sep 2005 17:39:16 +0100 
 
Hi, 
 
Advisory appended below. 
Release date is "whenever it's fixed". 
Might be worth running the rest of the test suite referenced. 
 
Cheers 
Chris 
 
CESA-2005-005 - rev 1 
 
KWord RTF import heap corruption 
================================ 
 
Programs affected: KWord 
Severity: Possible arbitrary code execution. 
Discovered date: ForgottenVendor notified date: Sep 22nd 2005 
 
Demo RTF: http://scary.beasts.org/misc/out27.rtf 
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2) 
 
rpm -q koffice-kword 
koffice-kword-1.4.1-4.fc4 
 
Resultant stack trace: 
 
(gdb) bt 
#0  0x06d0706c in _int_malloc () from /lib/libc.so.6 
#1  0x06d08492 in malloc () from /lib/libc.so.6 
#2  0x06aaef56 in operator new () from /usr/lib/libstdc++.so.6 
#3  0x06aaf06d in operator new[] () from /usr/lib/libstdc++.so.6 
#4  0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#5  0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#6  0x012d8143 in QString::operator+= () 
from /usr/lib/qt-3.3/lib/libqt-mt.so.3 
#7  0x007466f9 in RTFImport::convert () from /usr/lib/kde3/librtfimport.so 
 
CESA-2005-005 - rev 1 
Chris Evans 
scarybeasts@gmail.com
Comment 1 Marcus Meissner 2005-09-23 07:51:01 UTC 
dirk, you can handle this for KDE too.
Comment 2 Will Stephenson 2005-09-23 13:31:06 UTC 
I'll check the RTF parser in Kopete against this input too.
Comment 3 Marcus Meissner 2005-09-26 11:50:51 UTC 
SWAMPID: 2380
Comment 4 Will Stephenson 2005-09-26 12:05:15 UTC 
out27.rtf is successfully rejected by Kopete's RTF parser as an unparseable  
message.  Takes a while, but no crash.
Comment 5 Dirk Mueller 2005-09-27 08:46:45 UTC 
thanks! are you aware of any other rtf parser somewhere in our SVN? Can't find 
anything else..
Comment 6 Dirk Mueller 2005-10-05 18:49:25 UTC 
affected products:  
 
10.0, 9.3, 9.2, 9.1, 9.0 
 
SLES9, SLES8, SLES8-SLC 
 
on all architectures
Comment 7 Dirk Mueller 2005-10-05 18:55:09 UTC 
ok, forget the last comment.   
  
affected products:   
 
 10.0, 9.3, 9.2, 9.1, 9.0  
 
SLES8-SLC 
 
on all architectures
Comment 8 Dirk Mueller 2005-10-05 22:17:19 UTC 
CAN-2005-2971
Comment 9 Dirk Mueller 2005-10-05 22:17:33 UTC 
CESA-2005-005
Comment 10 Dirk Mueller 2005-10-05 23:03:27 UTC 
updates submitted. ETA disclosure date 10/10/2005
Comment 12 Marcus Meissner 2005-10-06 14:11:19 UTC 
 
patchinfos are missing too (mls complained ;)
Comment 13 Marcus Meissner 2005-10-06 17:05:34 UTC 
CAN-2005-2971
Comment 14 Marcus Meissner 2005-10-18 11:45:15 UTC 
I forgot the patchinfos ... sorry. submitted now.
Comment 15 Ludwig Nussel 2005-10-26 14:36:36 UTC 
debian has just issued an advisory. SWAMP has CRD 7.11., who is correct now?
Comment 16 Dirk Mueller 2005-10-26 14:43:05 UTC 
there was no coordinated release date as far as I know. KDE has published the advisory on October 11th.
Comment 17 Ludwig Nussel 2005-10-26 14:51:31 UTC 
auch gut... updates released.
Comment 18 Thomas Biege 2009-10-13 21:36:30 UTC 
CVE-2005-2971: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)