Bug 62767 (CVE-2004-0645)

Summary:	VUL-0: CVE-2004-0645: abiword2: buffer overflow
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Biege <thomas>
Component:	Incidents	Assignee:	Marcus Meissner <meissner>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	gnome-bugs, mls, nadvornik, patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0645: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	wv-1.0.0-fix_overflow.patch wv-0.7.2+-fix_overflow.patch wv-0.7.2+-fix_overflow.patch wv.patch.box

Description Thomas Biege 2004-10-29 14:46:16 UTC

Hello, 
do we have this one fixed already? 
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0645

Comment 1 Thomas Biege 2004-10-29 14:46:16 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Ludwig Nussel 2004-11-10 23:53:43 UTC

ping

Comment 3 Stanislav Brabec 2004-11-11 22:08:53 UTC

Created attachment 26006 [details]
wv-1.0.0-fix_overflow.patch

Gentoo Linux patch. I am applying it to abiword and wv packages.

Comment 4 Stanislav Brabec 2004-11-11 22:27:30 UTC

Patch submitted for:

abiword in stable-all, sles9-sld, PLUS, 9.2-all, 9.1-all, 8.2-all

abiword2 in 9.0-all

wv in stable-all, 9.2-all, 9.1-all, 9.0-all

Needs further research: abiword in 8.1-all

Comment 5 Marcus Meissner 2004-11-11 23:01:00 UTC

abiword was not on NLD. 
 
I created patchinfos for abiword and abiword2. 
 
I still include 8.1 ... please tell me if I should remove it.

Comment 6 Stanislav Brabec 2004-11-11 23:13:40 UTC

Created attachment 26014 [details]
wv-0.7.2+-fix_overflow.patch

Suggested patch for 8.1. Please review. Version in this abiword is declared as
0.7.2 (which does not need the patch), but in reality it is different from
0.7.2.

In wv-0.7.2, the whole patch can be -R applied, but here not.

Comment 7 Stanislav Brabec 2004-11-11 23:19:20 UTC

abiword package for 8.1 submitted.

Comment 8 Marcus Meissner 2004-11-11 23:24:48 UTC

is there any check for consumed in this patch at all?  
 
you just set and increment it, but never check it.

Comment 9 Stanislav Brabec 2004-11-11 23:35:26 UTC

This is in >8.1, but not 8.1. Fixing.

/* the '11' is the max width of an integer (10 digits for '4 billion') + nul */
    while (*token && (consumed < (TIMESTR_SIZE - 11)))

Comment 10 Stanislav Brabec 2004-11-11 23:55:40 UTC

Created attachment 26021 [details]
wv-0.7.2+-fix_overflow.patch

Second version of patch for 8.1.

Comment 11 Marcus Meissner 2004-11-12 16:50:48 UTC

patch looks good.

Comment 12 Stanislav Brabec 2004-11-12 19:39:07 UTC

Submitted 8.1 with new patch. Reassigning.

Comment 13 Michael Schröder 2004-11-16 01:31:25 UTC

Patchinfos?

Comment 14 Marcus Meissner 2004-11-16 03:55:40 UTC

already in done/PATCHINFO 
 
-rw-r--r--  1 meissner suse 457 2004-11-15 
18:02 /work/src/done/PATCHINFO/abiword2.patch.box 
-rw-r--r--  1 meissner suse 492 2004-11-15 
18:02 /work/src/done/PATCHINFO/abiword.patch.box 
 
?

Comment 15 Stanislav Brabec 2004-11-16 18:18:31 UTC

Please create also patchinfo for wv, which exists as stand-alone package, too.
The same bug, the same patch.

We have also wv2 package, but it seems to be code rewrite.

Comment 16 Marcus Meissner 2004-11-17 18:41:29 UTC

? we already released a security update for wv and wv2 some monmtghs ago to 
fix this issue.... didn't we?

Comment 17 Marcus Meissner 2004-11-17 19:13:08 UTC

suse bugzilla #45094

Comment 18 Stanislav Brabec 2004-11-18 19:45:01 UTC

Bug 60094 was about wv-0.7.2 and fixed for 8.1 and 8.2, now the patch was
applied for stable-all, 9.2-all, 9.1-all, 9.0-all (CAN-2004-0645: wv library
(wvWare) 0.7.4 through 0.7.6 and 1.0.0).

Comment 19 Michael Schröder 2004-11-22 23:24:43 UTC

Patchinfos for wv?

Comment 20 Marcus Meissner 2004-11-22 23:35:35 UTC

will do.

Comment 21 Marcus Meissner 2004-11-22 23:41:40 UTC

Created attachment 26305 [details]
wv.patch.box

Comment 22 Michael Schröder 2004-11-23 02:33:30 UTC

Packages checked in.

Hmm, on the other hand, are you really sure that this is correct?

@@ -197,6 +202,7 @@
                  case 1:
                      consumed += sprintf (temp, "%d", current->tm_hour);
                      strcat (timestr, temp);
+                     consumed += strlen (temp);
                      break;
                  default:
                      strcat (timestr, "%H");
@@ -212,6 +218,7 @@
                  case 1:
                      consumed += sprintf (temp, "%d", current->tm_min);
                      strcat (timestr, temp);
+                     consumed += strlen (temp);
                      break;
                  default:
                      strcat (timestr, "%M");

It seems to me that the length is added twice to consumed...

Comment 23 Thomas Biege 2004-11-23 16:02:20 UTC

Adding a check to verify the return value of sprintf() will also avoid 
'consumed' to be decremented in the case of an error.

Comment 24 Michael Schröder 2004-11-23 18:20:13 UTC

What does that mean? Shouldn't the patch above remove consumed += from the
sprintf line then?

Comment 25 Michael Schröder 2004-11-23 18:20:57 UTC

And isn't strlen(temp) undefined if sprintf returns -1?

Comment 26 Vladimir Nadvornik 2004-11-23 18:43:06 UTC

This looks like the same patch as in bug 60094  
The result of the discussion there was that a half of the patch is wrong and 
the rest is not necessary.

Comment 27 Michael Schröder 2004-11-23 18:55:31 UTC

Hmm, what now? Will you resubmit wv with a fixed patch?

Comment 28 Vladimir Nadvornik 2004-11-23 22:19:52 UTC

IMHO the only problem that might need fixing is the negative return 
from sprintf. Can it happen?

Comment 29 Thomas Biege 2004-11-24 18:32:51 UTC

Just in the case if 'temp' is NULL or something is wrong with 'current->tm_*' 
AFAIK.

Comment 30 Vladimir Nadvornik 2004-11-24 19:07:52 UTC

Temp is declared as this: 
char temp[64]; 
 
current->tm_* comes from localtime and according to man page it is  
in range 0 to 59 or similar. 
 
IMHO wv is good as is, without any patch.

Comment 31 Marcus Meissner 2004-11-24 19:09:33 UTC

the slightly off byte count (always larger) can be ignored. 
 
please proceed as planned.

Comment 32 Michael Schröder 2004-11-24 19:39:18 UTC

Vladimir, I think you're right. I don't know why the secteam wrote that patch,
it is 1) broken and 2) fixes nothing. I guess I shouldn't have checked in those
wv packages. Should I revert them to the original version?

Comment 33 Stanislav Brabec 2004-11-24 19:58:45 UTC

This is a Gentoo secteam work.

Comment 34 Marcus Meissner 2004-11-25 00:40:37 UTC

i reviewed the patch for wv together with mls, it does not change behaviour at 
all. The "%d" strings all print values of months or hours, which are either 1 
or 2 characters, the rest changes are not needed at all. 
 
mls reverted the "fixes" in autobuild. 
 
I have approved the patchinfos for abiword and abiword2.

Comment 35 Stanislav Brabec 2004-11-25 00:45:17 UTC

But all three packages (abiword1, abiword2 and wv) use the same patch. Only
abiword in 8.1-all has different one. Is the code in abiword* sources different?

Comment 36 Marcus Meissner 2004-11-25 01:06:22 UTC

*sigh* 
 
Yes, I looked through all the abiwords we had and this is the case, 
only 8.1 has real problems.

Comment 37 Thomas Biege 2009-10-13 19:56:35 UTC

CVE-2004-0645: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)