Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Jan 2017 09:03:26 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, daved@...siol.usyd.edu.au,
	jf@...kes.org, willi@...ian.org, security@...ian.org
Subject: Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_*
 functions

Hi,

On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> >> I've found a Stack-based buffer overflow in unrtf 0.21.9, which
> >> affects three functions including: cmd_expand, cmd_emboss and
> >> cmd_engrave.
> 
> >> Apparently writing a negative integer to the buffer can trigger the
> >> overflow (Minus sign needs an extra byte).
> 
> > https://bugs.debian.org/849705
> 
> >>> I guess that you can just add a package patch to increate the str[] buffer
> >>> size, something like
> >>> 
> >>> - char str[10];
> >>> + char str[15];
> 
> Use CVE-2016-10091 (for all of the 849705 report).

Upstream patch:
http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ