Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 Apr 2012 14:14:47 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com, officesecurity@...ts.freedesktop.org,
        Caolán McNamara
 <caolanm@...hat.com>,
        Miklos Vajna <vmiklos@...e.cz>, David Tardon <dtardon@...hat.com>,
        Carlo Di Dato <shinnai@...istici.org>
Subject: CVE Request (minor) -- LibreOffice (X >= v3.5.0): DoS (excessive
 CPU use) in the RTF tokenizer

Hello Kurt, Steve, vendors,

   a denial of service flaw was found in the way the LibreOffice RTF Tokenizer
used to resolve certain keywords being present in the Rich Text Format (RTF)
document. A remote attacker could provide a specially-crafted RTF file, which
once opened by a local, unsuspecting LibreOffice tools suite user would lead to
excessive CPU usage by the tool used for opening that file.

Upstream bug report:
[1] https://bugs.freedesktop.org/show_bug.cgi?id=48640

Upstream patch (against 3.5 branch):
[2] 
http://cgit.freedesktop.org/libreoffice/core/commit/?id=51c8c95b2864b49e7bcbd824eacedb5778a758c0&g=libreoffice-3-5

References:
[3] 
http://didasec.wordpress.com/2012/04/16/libreoffice-3-5-2-2-soffice-exesoffice-bin-memory-corruption/
[4] http://shinnai.altervista.org/exploits/SH-016-20120416.html
[5] http://seclists.org/fulldisclosure/2012/Apr/201
[6] https://bugzilla.redhat.com/show_bug.cgi?id=814223

 From investigation of the reproducers provided at:
[7] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c0 ('Crash PoC')

the particular error message:
terminate called after throwing an instance of 'std::bad_alloc'
   what(): std::bad_alloc

Program received signal SIGABRT, Aborted.
0X00111416 in __kernel_vsyscall ()

seems to be just standard C++ (STL) error message / exception, that
the requested memory allocation failed. From my investigation
the relevant process termination in this case is safe from security
point of view (standard way how C++ handles memory allocation failures).

Though Caolán , Miklos or LibreOffice upstream can clarify further if
this should be considered to be a security flaw (due to internal
implementation details I am not aware of and might lead to memory
corruption announced at [7]).

But as noted earlier, I don't think this is a security flaw, which
should get a CVE identifier.

[8] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c1 ('DoS PoC')

This one (on LibreOffice >= v.3.5.0 using the new RTF tokenizer implementation)
truly leads to denial of service (excessive CPU consumption and hang) while
trying to process that RTF file. So this case might be applicable
for CVE-2012-* identifier assignment.

Kurt, if LibreOffice upstream approves, could you allocate CVE id
for the 'RTF Tokenizer resolve keyword DoS / CPU usage issue' [8] ?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.