Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Feb 2013 22:38:11 +0200
From: Milen Rangelov <>
Subject: Minor problem in ODF format


While working on my odf plugin and using the jtr format as a reference, I
noticed a minor problem that could cause false negatives with some

Problem is here:

BF_set_key(&bf_key, cur_salt->key_size, key);
BF_cfb64_encrypt(cur_salt->content, output, 1024, &bf_key, ivec,
&bf_ivec_pos, 0);
SHA1_Update(&ctx, output, 1024);
SHA1_Final((unsigned char*)crypt_out[index], &ctx);

With certain documents (very small in size, e.g just 1-2 short
paragraphs) it is possible that the size of content.xml is less than
1024 bytes and in that case there is no need to decrypt 1024 bytes and
hash the result because the actual size is less than that (decryption
is OK, but hashing would definitely produce wrong result).

This can cause more problems earlier in the parsing code though
because we're reading out of bounds:

p = strtok(NULL, "*");
for (i = 0; i < 1024; i++)
cs.content[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
         	+ atoi16[ARCH_INDEX(p[i * 2 + 1])];

This is a minor problem, yet quite easy to fix.


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.