Date: Thu, 19 Apr 2012 14:14:47 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com, officesecurity@...ts.freedesktop.org, Caolán McNamara <caolanm@...hat.com>, Miklos Vajna <vmiklos@...e.cz>, David Tardon <dtardon@...hat.com>, Carlo Di Dato <shinnai@...istici.org> Subject: CVE Request (minor) -- LibreOffice (X >= v3.5.0): DoS (excessive CPU use) in the RTF tokenizer Hello Kurt, Steve, vendors, a denial of service flaw was found in the way the LibreOffice RTF Tokenizer used to resolve certain keywords being present in the Rich Text Format (RTF) document. A remote attacker could provide a specially-crafted RTF file, which once opened by a local, unsuspecting LibreOffice tools suite user would lead to excessive CPU usage by the tool used for opening that file. Upstream bug report:  https://bugs.freedesktop.org/show_bug.cgi?id=48640 Upstream patch (against 3.5 branch):  http://cgit.freedesktop.org/libreoffice/core/commit/?id=51c8c95b2864b49e7bcbd824eacedb5778a758c0&g=libreoffice-3-5 References:  http://didasec.wordpress.com/2012/04/16/libreoffice-3-5-2-2-soffice-exesoffice-bin-memory-corruption/  http://shinnai.altervista.org/exploits/SH-016-20120416.html  http://seclists.org/fulldisclosure/2012/Apr/201  https://bugzilla.redhat.com/show_bug.cgi?id=814223 From investigation of the reproducers provided at:  https://bugs.freedesktop.org/show_bug.cgi?id=48640#c0 ('Crash PoC') the particular error message: terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Program received signal SIGABRT, Aborted. 0X00111416 in __kernel_vsyscall () seems to be just standard C++ (STL) error message / exception, that the requested memory allocation failed. From my investigation the relevant process termination in this case is safe from security point of view (standard way how C++ handles memory allocation failures). Though Caolán , Miklos or LibreOffice upstream can clarify further if this should be considered to be a security flaw (due to internal implementation details I am not aware of and might lead to memory corruption announced at ). But as noted earlier, I don't think this is a security flaw, which should get a CVE identifier.  https://bugs.freedesktop.org/show_bug.cgi?id=48640#c1 ('DoS PoC') This one (on LibreOffice >= v.3.5.0 using the new RTF tokenizer implementation) truly leads to denial of service (excessive CPU consumption and hang) while trying to process that RTF file. So this case might be applicable for CVE-2012-* identifier assignment. Kurt, if LibreOffice upstream approves, could you allocate CVE id for the 'RTF Tokenizer resolve keyword DoS / CPU usage issue'  ? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.