Source: libwpd Version: 0.10.2-2 Severity: important Tags: upstream security
Hi, The following vulnerability was published for libwpd. CVE-2018-19208[0]: | In libwpd 0.10.2, there is a NULL pointer dereference in the function | WP6ContentListener::defineTable in WP6ContentListener.cpp that will | lead to a denial of service attack. This is related to WPXTable.h. I do not know if it was reported to upstream or only in Red Hat bugzilla. ==25333== Memcheck, a memory error detector ==25333== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==25333== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==25333== Command: wpd2html ./poc0-1 ==25333== ==25333== Invalid read of size 8 ==25333== at 0x488C37A: operator[] (WPXTable.h:89) ==25333== by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314) ==25333== by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149) ==25333== by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783) ==25333== by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226) ==25333== by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415) ==25333== by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198) ==25333== by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888) ==25333== by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797) ==25333== by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423) ==25333== by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138) ==25333== by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83) ==25333== by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225) ==25333== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==25333== ==25333== ==25333== Process terminating with default action of signal 11 (SIGSEGV) ==25333== Access not within mapped region at address 0x0 ==25333== at 0x488C37A: operator[] (WPXTable.h:89) ==25333== by 0x488C37A: WP6ContentListener::defineTable(unsigned char, unsigned short) (WP6ContentListener.cpp:1314) ==25333== by 0x4893899: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:149) ==25333== by 0x488D8DA: WP6ContentListener::_handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WP6ContentListener.cpp:1783) ==25333== by 0x489B90E: WPXContentListener::handleSubDocument(WPXSubDocument const*, WPXSubDocumentType, WPXTableList, unsigned int) (WPXContentListener.cpp:1226) ==25333== by 0x489C122: WPXContentListener::_openPageSpan() (WPXContentListener.cpp:415) ==25333== by 0x489C854: WPXContentListener::_openSection() (WPXContentListener.cpp:198) ==25333== by 0x488EF15: WP6ContentListener::_handleListChange(unsigned short) (WP6ContentListener.cpp:1888) ==25333== by 0x489CFC1: WPXContentListener::_openSpan() (WPXContentListener.cpp:797) ==25333== by 0x488B903: WP6ContentListener::insertCharacter(unsigned int) (WP6ContentListener.cpp:423) ==25333== by 0x48938BF: WP6Parser::parseDocument(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:138) ==25333== by 0x4893922: WP6Parser::parse(librevenge::RVNGInputStream*, WPXEncryption*, WP6Listener*) (WP6Parser.cpp:83) ==25333== by 0x4893D58: WP6Parser::parse(librevenge::RVNGTextInterface*) (WP6Parser.cpp:225) ==25333== If you believe this happened as a result of a stack ==25333== overflow in your program's main thread (unlikely but ==25333== possible), you can try to increase the size of the ==25333== main thread stack using the --main-stacksize= flag. ==25333== The main thread stack size used in this run was 8388608. ==25333== ==25333== HEAP SUMMARY: ==25333== in use at exit: 39,843 bytes in 1,012 blocks ==25333== total heap usage: 9,446 allocs, 8,434 frees, 879,851 bytes allocated ==25333== ==25333== LEAK SUMMARY: ==25333== definitely lost: 40 bytes in 1 blocks ==25333== indirectly lost: 16 bytes in 1 blocks ==25333== possibly lost: 0 bytes in 0 blocks ==25333== still reachable: 39,787 bytes in 1,010 blocks ==25333== suppressed: 0 bytes in 0 blocks ==25333== Rerun with --leak-check=full to see details of leaked memory ==25333== ==25333== For counts of detected and suppressed errors, rerun with: -v ==25333== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19208 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19208 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1643752 [2] https://src.fedoraproject.org/rpms/libwpd/blob/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch Please adjust the affected versions in the BTS as needed. Regards, Salvatore
