Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Mar 2015 12:23:09 -0700
From: Dean Pierce <>
Subject: catdoc has bugs

"catdoc" is a command line tool for extracting readable text from
Microsoft office documents.  It is used by the command "less" when
opening a .doc file, and if it's not installed, less will ask you to
install it.  It's also listed as a forensics tool on certain websites.
Catdoc has bugs.

The attached* word documents were generated with American Fuzzy Lop.
The first attached tarball contains 35 somewhat analyzed sample
crashes.  I've also included the raw crash samples with 27 additional
crashes that were generated between the initial disclosure time and
right now.  AFL identified them as unique issues (presumably different
code paths) though the offending code seems to be in the following

substmap.c:151 (crash)
numutils.c:22 (some crash, some trigger ASAN)
ole.c:108 (ASAN)
ole.c:315 (ASAN)

The ASAN crashes indicate memory corruptions, but there are some solid
segfaults in substmap.c and numultils.c.  The crashes seem to be read
violations, so non-trivial to exploit, and since DoS and memory
disclosures aren't super interesting for document parers, it's
unlikely that any of these deserve a CVE.

There are likely more bugs, and catdoc also includes a ppt parser and
an xls parser.

* The attachments were too big (>200k), so I made this website instead

  - DEAN

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.