Your message dated Mon, 03 Dec 2012 19:02:30 +0000
with message-id <e1tfbhi-000165...@franck.debian.org>
and subject line Bug#692076: fixed in catdoc 0.94.4-1.1
has caused the Debian Bug report #692076,
regarding catdoc: Extra ';' turns for loop into a buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
692076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692076
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: catdoc
Version: 0.94.3-1
Severity: serious
Tags: patch, security
src/xlsparse.c contains:
for (i=0;i<NUMOFDATEFORMATS; i++);
FormatIdxUsed[i]=0;
The ';' at the end of the first line shouldn't be there. It results in the
code doing the same as:
i = NUMOFDATEFORMATS;
FormatIdxUsed[i]=0;
And FormatIdxUsed has NUMOFDATEFORMATS elements, which start from 0 so
FormatIdxUsed[NUMOFDATEFORMATS] is writing off the end of the buffer.
That's undefined behaviour in C and a security issue, though whether it's
usefully exploitable in the current binary packages depends what happens
to be put in memory after it. But an obvious use case for catdoc is viewing
attachments you get sent or files you download, so it seems wise to assume
this could be exploited unless proved otherwise, so I've tagged this
"security" and set the severity to "serious".
Patch attached. I'm happy to NMU a fix (at least assuming I can work
around #692073), so let me know if you'd like me to.
Cheers,
Olly
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages catdoc depends on:
ii libc6 2.13-35
catdoc recommends no packages.
Versions of packages catdoc suggests:
ii tk 8.5.0-2
ii tk8.4 [wish] 8.4.19-5
ii tk8.5 [wish] 8.5.11-2
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: catdoc
Source-Version: 0.94.4-1.1
We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Neil Williams <codeh...@debian.org> (supplier of updated catdoc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 03 Dec 2012 18:22:47 +0000
Source: catdoc
Binary: catdoc
Architecture: source amd64
Version: 0.94.4-1.1
Distribution: unstable
Urgency: low
Maintainer: Nick Bane <n...@enomem.co.uk>
Changed-By: Neil Williams <codeh...@debian.org>
Description:
catdoc - MS-Word to TeX or plain text converter
Closes: 692073 692076
Changes:
catdoc (0.94.4-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* New upstream release to remove .pc subdirectory from
the orig tarball (Closes: #692073). Includes updating
version strings in generated manpages.
* Remove extra ';' in src/xlsparse.c which turned for loop in
xlsparse into a buffer overflow (Closes: #692076), applies
patch by Olly Betts <o...@survex.com>.
Checksums-Sha1:
ddac77822dcd7a52814e5198d9ba6103449f87e5 1660 catdoc_0.94.4-1.1.dsc
26c9addb221543288c013ecadf4f6fb0c9eca13e 679156 catdoc_0.94.4.orig.tar.gz
c20e6fbfcb7626a6364105c917908cbb9c501d9f 6737 catdoc_0.94.4-1.1.debian.tar.gz
452b1fa274f0e3ad578b1923c37aad09334e7141 650036 catdoc_0.94.4-1.1_amd64.deb
Checksums-Sha256:
df4acb56d57d30d9aac033dca98a0120e6431ff96f2b317bdfc5d73abaeb8c87 1660
catdoc_0.94.4-1.1.dsc
c06fd69d2a218fcc2ed1320988cef07a67cf5555a12f25752766d746e25758ee 679156
catdoc_0.94.4.orig.tar.gz
e1db6aad9433d6d18933634e803aa89f0bc9c13cf1fae811dc84779029f0b616 6737
catdoc_0.94.4-1.1.debian.tar.gz
130513f8439f8ceb416c3d180c117367e84220fe4bd4ad5ed3071c5e08b3ae2f 650036
catdoc_0.94.4-1.1_amd64.deb
Files:
09b0edb76101f096538a5c7aeb379e62 1660 text optional catdoc_0.94.4-1.1.dsc
4820680e3611392caf2b4dd2413bfae5 679156 text optional catdoc_0.94.4.orig.tar.gz
0a4802437bf6d9bcb21cce19f96dd175 6737 text optional
catdoc_0.94.4-1.1.debian.tar.gz
c6767577170098eda6eed6cd07b67d1b 650036 text optional
catdoc_0.94.4-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQvPWMAAoJEPFn5DyBQ7aC8G4QAJUvinCIci4PyZn+VOv8Ko1r
xlCBoYEhZL6sSAh383KJkxvHAoNmqio9I5ytbPG073RUDLUklTWIUv+MC8ftsAo2
rRSmnBIQVqVH3zv9KYms7hc7ml7u9Hq7KU2F6lzGdgOvgbXkdGG28BZ2w3sfV3hN
lCMRXzWr7x6Lx5MA8fiL1KGQ2COMEvGgpjQcwvDdcaefXz1iUefh+aPC64SPvBJX
fiDnrBeWKexXPVwhm3hNGm658nXnRa3zsBsNjlue9aGdvCQ8oa0hE4bC02Sodf54
WUtFUvWPWo1T66vqwHXvP8MmFyHpLTfVtyTD1H+H7P7vp3Mi+Fjp7hyWcK4m44wK
XNFM6U11YsssmEbvYkmRexE1+2vKqHVADST8hIg84+nE6hTyFodAntrI5AeV+imO
o1LT6dIC9dep0HMIxPQ8+hHVeNVqoFV3dtBPBV7+HthhPj0ph/Ze0rwFRkLJ5V9k
KnlT9pfSktWr1C1G8s0CZOUkrLNzRbeb1HAfN4i/8O/7l7EAv/S9L5/oC7LwSEqy
EujRizdBXdkaSNsPJQnEN4u7PRMUqhHs61IYit1kVrld1HnrsjZSw9Jr3GYdke+H
4xiTtymkgFkpPJ5NUuzkVAEM2Wyx2iFBpdSWGTZAytyC23NzFMhm97YqRAciTrMP
396mixthDLxZFvLKVfy0
=IOC0
-----END PGP SIGNATURE-----
--- End Message ---
