Date: Fri, 13 Mar 2015 12:23:09 -0700 From: Dean Pierce <pierce403@...il.com> To: oss-security@...ts.openwall.com Subject: catdoc has bugs "catdoc" is a command line tool for extracting readable text from Microsoft office documents. It is used by the command "less" when opening a .doc file, and if it's not installed, less will ask you to install it. It's also listed as a forensics tool on certain websites. Catdoc has bugs. The attached* word documents were generated with American Fuzzy Lop. The first attached tarball contains 35 somewhat analyzed sample crashes. I've also included the raw crash samples with 27 additional crashes that were generated between the initial disclosure time and right now. AFL identified them as unique issues (presumably different code paths) though the offending code seems to be in the following places: substmap.c:151 (crash) numutils.c:22 (some crash, some trigger ASAN) ole.c:108 (ASAN) ole.c:315 (ASAN) The ASAN crashes indicate memory corruptions, but there are some solid segfaults in substmap.c and numultils.c. The crashes seem to be read violations, so non-trivial to exploit, and since DoS and memory disclosures aren't super interesting for document parers, it's unlikely that any of these deserve a CVE. There are likely more bugs, and catdoc also includes a ppt parser and an xls parser. * The attachments were too big (>200k), so I made this website instead : https://catdocbugs.neocities.org/ - DEAN
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.