Date: Sun, 1 Jan 2017 09:03:26 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, daved@...siol.usyd.edu.au, jf@...kes.org, willi@...ian.org, security@...ian.org Subject: Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions Hi, On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > >> I've found a Stack-based buffer overflow in unrtf 0.21.9, which > >> affects three functions including: cmd_expand, cmd_emboss and > >> cmd_engrave. > > >> Apparently writing a negative integer to the buffer can trigger the > >> overflow (Minus sign needs an extra byte). > > > https://bugs.debian.org/849705 > > >>> I guess that you can just add a package patch to increate the str buffer > >>> size, something like > >>> > >>> - char str; > >>> + char str; > > Use CVE-2016-10091 (for all of the 849705 report). Upstream patch: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ