Package: abiword Version: 3.0.4~dfsg-3 Severity: important X-Debbugs-Cc: jieyong...@gmail.com
Buffer overflow in wvCopyCHPX () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 causes abiword 3.0.4 a denial of service (crash) via a crafted input document. root@max:/home/fuzz/poc/abiword# gdb --args abiword -t pdf ./poc1.doc GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from abiword... (No debugging symbols found in abiword) (gdb) r Starting program: /usr/bin/abiword -t pdf ./poc1.doc [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe7216700 (LWP 6364)] [New Thread 0x7fffe6a15700 (LWP 6365)] [New Thread 0x7fffe6214700 (LWP 6366)] [New Thread 0x7fffe5a13700 (LWP 6367)] [New Thread 0x7fffe5212700 (LWP 6368)] [New Thread 0x7fffe4a11700 (LWP 6369)] [New Thread 0x7fffcbfff700 (LWP 6370)] [New Thread 0x7fffcb7fe700 (LWP 6371)] [New Thread 0x7fffcaffd700 (LWP 6372)] [New Thread 0x7fffca7fc700 (LWP 6373)] [New Thread 0x7fffc9ffb700 (LWP 6374)] [New Thread 0x7fffc97fa700 (LWP 6375)] [Detaching after fork from child process 6376] Thread 1 "abiword" received signal SIGSEGV, Segmentation fault. 0x00007ffff731c600 in wvCopyCHPX () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 (gdb) bt #0 0x00007ffff731c600 in wvCopyCHPX () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 #1 0x00007ffff730ce17 in wvGenerateStyle () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 #2 0x00007ffff730d20e in wvGetSTSH () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 #3 0x00007ffff731fdd6 in wvDecodeSimple () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 #4 0x00007ffff73297a1 in wvText () from /lib/x86_64-linux-gnu/libwv-1.2.so.4 #5 0x00007ffff7d0e846 in IE_Imp_MsWord_97::_loadFile(_GsfInput*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #6 0x00007ffff7d0b048 in IE_Imp::loadFile(PD_Document*, _GsfInput*, int, char const*, int*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #7 0x00007ffff7ba2d8a in PD_Document::_importFile(_GsfInput*, int, bool, bool, bool, char const*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #8 0x00007ffff7ba309f in PD_Document::_importFile(char const*, int, bool, bool, bool, char const*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #9 0x00007ffff7ba3118 in PD_Document::readFromFile(char const*, int, char const*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #10 0x00007ffff7c5042d in AP_Convert::convertTo(char const*, int, char const*, int) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #11 0x00007ffff7c50975 in AP_Convert::convertTo(char const*, char const*, char const*) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #12 0x00007ffff7c4fefb in AP_Args::doWindowlessArgs(bool&) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #13 0x00007ffff7abfd4a in AP_UnixApp::main(char const*, int, char**) () from /lib/x86_64-linux-gnu/libabiword-3.0.so #14 0x00007ffff7606d0a in __libc_start_main (main=0x555555555050, argc=4, argv=0x7fffffffe5c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5b8) at ../csu/libc-start.c:308 #15 0x000055555555509a in ?? () Ref: https://bugzilla.abisource.com/show_bug.cgi?id=13962 -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-12-amd64 (SMP w/4 CPU threads) Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8), LANGUAGE=zh_CN:zh Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages abiword depends on: ii abiword-common 3.0.4~dfsg-3 ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.5 ii libabiword-3.0 3.0.4~dfsg-3 ii libc6 2.31-13+deb11u2 ii libdbus-1-3 1.12.20-2 ii libdbus-glib-1-2 0.110-6 ii libgcc-s1 10.2.1-6 ii libgcrypt20 1.8.7-6 ii libglib2.0-0 2.66.8-1 ii libgnutls30 3.7.1-5 ii libgoffice-0.10-10 0.10.48-1 ii libgsf-1-114 1.14.47-1 ii libgtk-3-0 3.24.24-4 ii libjpeg62-turbo 1:2.0.6-4 ii libloudmouth1-0 1.5.3-6 ii libots0 0.5.0-6 ii libpng16-16 1.6.37-3 ii librdf0 1.0.17-1.1+b1 ii libreadline8 8.1-1 ii librevenge-0.0-0 0.0.4-6+b1 ii libsoup2.4-1 2.72.0-2 ii libstdc++6 10.2.1-6 ii libtelepathy-glib0 0.24.1-3 ii libtidy5deb1 2:5.6.0-11 ii libwmf0.2-7 0.2.8.4-17 ii libwpd-0.10-10 0.10.3-1 ii libwpg-0.3-3 0.3.3-1 ii libxml2 2.9.10+dfsg-6.7 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages abiword recommends: ii abiword-plugin-grammar 3.0.4~dfsg-3 ii aspell-en [aspell-dictionary] 2018.04.16-0-1 ii fonts-liberation 1:1.07.4-11 ii poppler-utils 20.09.0-3.1 abiword suggests no packages. -- no debconf information
