Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170101080326.sin4gisgscjtgouc@eldamar.local>
Date: Sun, 1 Jan 2017 09:03:26 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com, daved@...siol.usyd.edu.au,
	jf@...kes.org, willi@...ian.org, security@...ian.org
Subject: Re: CVE Request: UnRTF: stack-based buffer overflows in cmd_*
 functions

Hi,

On Sat, Dec 31, 2016 at 12:12:14PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> >> I've found a Stack-based buffer overflow in unrtf 0.21.9, which
> >> affects three functions including: cmd_expand, cmd_emboss and
> >> cmd_engrave.
> 
> >> Apparently writing a negative integer to the buffer can trigger the
> >> overflow (Minus sign needs an extra byte).
> 
> > https://bugs.debian.org/849705
> 
> >>> I guess that you can just add a package patch to increate the str[] buffer
> >>> size, something like
> >>> 
> >>> - char str[10];
> >>> + char str[15];
> 
> Use CVE-2016-10091 (for all of the 849705 report).

Upstream patch:
http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.