Date: Sun, 1 Jan 2017 09:03:26 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com, daved@...siol.usyd.edu.au, jf@...kes.org, willi@...ian.org, security@...ian.org Subject: Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_* functions Hi, On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > >> I've found a Stack-based buffer overflow in unrtf 0.21.9, which > >> affects three functions including: cmd_expand, cmd_emboss and > >> cmd_engrave. > > >> Apparently writing a negative integer to the buffer can trigger the > >> overflow (Minus sign needs an extra byte). > > > https://bugs.debian.org/849705 > > >>> I guess that you can just add a package patch to increate the str buffer > >>> size, something like > >>> > >>> - char str; > >>> + char str; > > Use CVE-2016-10091 (for all of the 849705 report). Upstream patch: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.