buffer overflow Security fix

Created an attachment (id=4025)
patch to fix the buffer overflow

Security fix to apply

Created an attachment (id=4026)
sample for the security issue

load the file in AbiWord, it will crash and clobber the stack... 0x41414141 in
the stack trace show it.
a valgrind run will complain too.

after applying the above patch, the AbiWord no longer crash and will even
import the file.

problem reported by "Chris Evans" from the vendor-sec list

Martin: Abiword is in universe (just noticed this after all the bug wrangling),
but it's also probably fairly commonly-used, so if you don't have the spare time
to whip up an update for this, I'll probably do so on Monday. Just let me know.

Scratch that, the source is in main, I'm asleep at the wheel.

The source and abiword-gnome are in main

We discussed that on vendor-sec, but it blew off to the public now. OK, the
patch is easy. I already asked on vendor-sec: What should this change be good for?

- keyword[count++] = ch;
+ keyword[count] = ch;
+ count++;

these look perfectly equivalent to me.

sorry. this is useless for the security fix. it is part of my eternal "I hate C
permissive code style" rant.

for the record, patch is still discussed on vendor-sec; it converts the crash to
an eternal hang in a futex, which solves the security problem, but can certainly
be enhanced a bit further.

 abiword (2.2.9-1ubuntu2) breezy; urgency=low
 .
   * SECURITY UPDATE: Fix arbitrary code execution with crafted RTF documents.
   * Add debian/patches/18_rtf_check_keyword_len.dpatch:
     - Limit the size of RTF identifiers to avoid overflowing a static buffer.
   * References:
     CAN-2005-2964
     Ubuntu #16165

warty and hoary are pending

stables fixed in USN-188-1.

*** Bug 22808 has been marked as a duplicate of this bug. ***