Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F9001B7.2010309@redhat.com>
Date: Thu, 19 Apr 2012 14:14:47 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com, officesecurity@...ts.freedesktop.org,
        Caolán McNamara
 <caolanm@...hat.com>,
        Miklos Vajna <vmiklos@...e.cz>, David Tardon <dtardon@...hat.com>,
        Carlo Di Dato <shinnai@...istici.org>
Subject: CVE Request (minor) -- LibreOffice (X >= v3.5.0): DoS (excessive
 CPU use) in the RTF tokenizer

Hello Kurt, Steve, vendors,

   a denial of service flaw was found in the way the LibreOffice RTF Tokenizer
used to resolve certain keywords being present in the Rich Text Format (RTF)
document. A remote attacker could provide a specially-crafted RTF file, which
once opened by a local, unsuspecting LibreOffice tools suite user would lead to
excessive CPU usage by the tool used for opening that file.

Upstream bug report:
[1] https://bugs.freedesktop.org/show_bug.cgi?id=48640

Upstream patch (against 3.5 branch):
[2] 
http://cgit.freedesktop.org/libreoffice/core/commit/?id=51c8c95b2864b49e7bcbd824eacedb5778a758c0&g=libreoffice-3-5

References:
[3] 
http://didasec.wordpress.com/2012/04/16/libreoffice-3-5-2-2-soffice-exesoffice-bin-memory-corruption/
[4] http://shinnai.altervista.org/exploits/SH-016-20120416.html
[5] http://seclists.org/fulldisclosure/2012/Apr/201
[6] https://bugzilla.redhat.com/show_bug.cgi?id=814223

 From investigation of the reproducers provided at:
[7] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c0 ('Crash PoC')

the particular error message:
terminate called after throwing an instance of 'std::bad_alloc'
   what(): std::bad_alloc

Program received signal SIGABRT, Aborted.
0X00111416 in __kernel_vsyscall ()

seems to be just standard C++ (STL) error message / exception, that
the requested memory allocation failed. From my investigation
the relevant process termination in this case is safe from security
point of view (standard way how C++ handles memory allocation failures).

Though Caolán , Miklos or LibreOffice upstream can clarify further if
this should be considered to be a security flaw (due to internal
implementation details I am not aware of and might lead to memory
corruption announced at [7]).

But as noted earlier, I don't think this is a security flaw, which
should get a CVE identifier.

[8] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c1 ('DoS PoC')

This one (on LibreOffice >= v.3.5.0 using the new RTF tokenizer implementation)
truly leads to denial of service (excessive CPU consumption and hang) while
trying to process that RTF file. So this case might be applicable
for CVE-2012-* identifier assignment.

Kurt, if LibreOffice upstream approves, could you allocate CVE id
for the 'RTF Tokenizer resolve keyword DoS / CPU usage issue' [8] ?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.