Bug#944979: Security: unrtf Jessie crash (global-buffer-overflow)

Antoine Cervoise Sun, 17 Nov 2019 14:33:47 -0800

Package: unrtf
Version: 0.21.5-3+deb8u1

Dear Maintainer,


unrtf on Debian Jessie crashes when analyzing the following file (crash.rtf). 
unrtf is not crashing on Debian Stretch Package (0.21.9-clean-3).

Package info:
$ dpkg --list
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                              Version               Architecture        
  Description
+++-=================================-=====================-=====================-=======================================================================
ii  unrtf                             0.21.5-3+deb8u1       amd64               
  RTF to other formats converter

File info:
$ md5sum crash.rtf
e025c809c42b784c0b00d2cb2a34b279  crash.rtf
$ sha1sum crash.rtf
d5de7e21b22399c859083bd28ce32bc4127492e1  crash.rtf
$ sha256sum crash.rtf
13a5b726cca07f1ce3ba296c897ccc24ae4fefe278889d3e90386d1495e6d2a6  crash.rtf
$ file crash.rtf
crash.rtf: Rich Text Format data, version 1, ANSI

Crash:
$ unrtf crash.rtf
<!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<!-- Translation from RTF performed by UnRTF, version 0.21.5 -->
<!--font table contains 7 fonts total-->
Segmentation fault

Trace from crash (gdb with peda plugin):
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7dd72a0 --> 0xfbad2a84
RCX: 0xffffffffffffffff
RDX: 0x20 (' ')
RSI: 0x7ffffffe
RDI: 0x69666e6f63206f4e ('No confi')
RBP: 0x7fffffffde90 --> 0x613380 --> 0x7ffff7dd72a0 --> 0xfbad2a84
RSP: 0x7fffffffd8c0 --> 0x3
RIP: 0x7ffff7a7bdcc (<_IO_vfprintf_internal+19468>:    )
R8 : 0x69666e6f63206f4e ('No confi')
R9 : 0x7ffff7a7c99a (<_IO_vfprintf_internal+22490>:    )
R10: 0x7ffff7dd56a0 --> 0x0
R11: 0x0
R12: 0x40ccf8 ("%d %s %d ")
R13: 0x0
R14: 0x0
R15: 0x7fffffffdea8 --> 0x3000000020 (' ')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a7bdc3 <_IO_vfprintf_internal+19459>:    xor    eax,eax
   0x7ffff7a7bdc5 <_IO_vfprintf_internal+19461>:    or     
rcx,0xffffffffffffffff
   0x7ffff7a7bdc9 <_IO_vfprintf_internal+19465>:    mov    rdi,r8
=> 0x7ffff7a7bdcc <_IO_vfprintf_internal+19468>:
    repnz scas al,BYTE PTR es:[rdi]
   0x7ffff7a7bdce <_IO_vfprintf_internal+19470>:
    mov    DWORD PTR [rbp-0x4c8],0x0
   0x7ffff7a7bdd8 <_IO_vfprintf_internal+19480>:    mov    rsi,rcx
   0x7ffff7a7bddb <_IO_vfprintf_internal+19483>:    not    rsi
   0x7ffff7a7bdde <_IO_vfprintf_internal+19486>:    lea    r10,[rsi-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd8c0 --> 0x3
0008| 0x7fffffffd8c8 --> 0x65e090 --> 0x65e820 ("<!DOCTYPE html PUBLIC 
-//W3C//DTD HTML 4.01 Transitional//EN>\n<html>\n")
0016| 0x7fffffffd8d0 --> 0x7fffffffda20 --> 0x40cc7d ("align_right_begin")
0024| 0x7fffffffd8d8 --> 0x7ffff7aa5907 (<_IO_new_file_xsputn+87>:    mov    
QWORD PTR [rbp+0x28],rax)
0032| 0x7fffffffd8e0 --> 0x7ffff7dd72a0 --> 0xfbad2a84
0040| 0x7fffffffd8e8 --> 0x7fffffffdee0 --> 0x7e3
0048| 0x7fffffffd8f0 --> 0x40cf30 ("creation date: ")
0056| 0x7fffffffd8f8 --> 0xf
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a7bdcc in _IO_vfprintf_internal (s=<optimized out>,
    format=<optimized out>, ap=ap@entry=0x7fffffffdea8) at vfprintf.c:1642
1642    vfprintf.c: No such file or directory.

Trace from crash (Debian package with patches compiled with Address Sanitizer 
on another computer):
==20518==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x555977f1f8c8 at pc 0x555977f0c113 bp 0x7ffd07589a30 sp 0x7ffd07589a20
READ of size 1 at 0x555977f1f8c8 thread T0
    #0 0x555977f0c112 in word_print_core 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x22112)
    #1 0x555977f0c7bb in word_print_core 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x227bb)
    #2 0x555977f0cdde in word_print 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x22dde)
    #3 0x555977f0f9de in main 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x259de)
    #4 0x7f0240a52b96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x555977efbdf9 in _start 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x11df9)

0x555977f1f8c8 is located 3 bytes to the right of global variable '*.LC189' 
defined in 'convert.c' (0x555977f1f8c0) of size 5
  '*.LC189' is ascii string 'ansi'
0x555977f1f8c8 is located 56 bytes to the left of global variable '*.LC190' 
defined in 'convert.c' (0x555977f1f900) of size 8
  '*.LC190' is ascii string 'ansicpg'
SUMMARY: AddressSanitizer: global-buffer-overflow 
(/media/cvs/GSM/fuzz/unrtf/jessie/asan/unrtf-0.21.5/src/unrtf+0x22112) in 
word_print_core
Shadow bytes around the buggy address:
  0x0aabaefdbec0: 00 01 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x0aabaefdbed0: 00 07 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aabaefdbee0: 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x0aabaefdbef0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x0aabaefdbf00: 02 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
=>0x0aabaefdbf10: 02 f9 f9 f9 f9 f9 f9 f9 05[f9]f9 f9 f9 f9 f9 f9
  0x0aabaefdbf20: 00 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
  0x0aabaefdbf30: 07 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0aabaefdbf40: 00 00 02 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0aabaefdbf50: 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
  0x0aabaefdbf60: 03 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20518==ABORTING

As buffer overflow is considered as a security issue, this crash may be patch 
regarding the LTS of Debian Jessie.

Kind regards,
Antoine

crash.rtf
Description: crash.rtf

Bug#944979: Security: unrtf Jessie crash (global-buffer-overflow)

Reply via email to