Calligra Words Buffer Overflow in MS Word Filter

Bug #1032934 reported by Scott Kitterman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calligra (Ubuntu)
Critical
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Medium
Marc Deslauriers
Quantal
Critical
Unassigned
koffice (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Quantal
Undecided
Unassigned
wv2 (Ubuntu)
Critical
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
High
Unassigned
Quantal
Critical
Unassigned

Bug Description

This is from the private KDE packagers email list. It says the information is public, but I don't find any reference to Calligra in the article it mentions - http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf so I'm making the bug private. Upstream patch is attached.

Hello,

A security vulnerability has been found in Calligra Words. Affected versions
are all below 2.5.0 (2.5.0 will have the fix once tagged in a couple of
hours).

It is already public information, you can find it in the "Exploring the NFC
Attack Surface" article by Charlie Miller of Accuvant.

You have in attachement the patch to fix the issue. There is no CVE number
since we could not find help from <email address hidden> on that front, so if you
need/want one, and would be available to help us with that, please contact us.

--
Cyrille Berger Skott

Revision history for this message
Scott Kitterman (kitterman) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote :

Found it on page 40. The bug is in an embedded code copy of wv2. It appears our wv2 package is likely affected as well.

visibility: private → public
Changed in wv2 (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Scott Kitterman (kitterman) wrote :

Untested debdiff using upstream patch.

Changed in koffice (Ubuntu Precise):
status: New → Invalid
Changed in koffice (Ubuntu Quantal):
status: New → Invalid
Changed in wv2 (Ubuntu Precise):
status: New → Confirmed
Changed in wv2 (Ubuntu Quantal):
status: New → Confirmed
Changed in calligra (Ubuntu Quantal):
status: New → Triaged
Changed in calligra (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Critical
status: In Progress → Confirmed
Changed in wv2 (Ubuntu Precise):
status: Confirmed → Triaged
Changed in wv2 (Ubuntu Quantal):
status: Confirmed → Triaged
Revision history for this message
Scott Kitterman (kitterman) wrote :

wv2 code in that area is not identical. I think it's got the same issue, but I'm not 100% sure.

Changed in calligra (Ubuntu Lucid):
status: New → Invalid
Changed in calligra (Ubuntu Natty):
status: New → Invalid
Changed in calligra (Ubuntu Oneiric):
status: New → Invalid
Changed in wv2 (Ubuntu Precise):
status: Triaged → New
Changed in wv2 (Ubuntu Quantal):
status: Triaged → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calligra - 1:2.4.92-0ubuntu2

---------------
calligra (1:2.4.92-0ubuntu2) quantal; urgency=high

  * SECURITY UPDATE:
  * References See patch header
  * Add debian/patches/wv2_buffer_overflow_fix.diff to fix buffer overflow in
    embedded copy of wv2 MS Word filter (LP: #1032934)
 -- Scott Kitterman <email address hidden> Sat, 04 Aug 2012 06:03:11 -0400

Changed in calligra (Ubuntu Quantal):
status: Triaged → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Improved debdiff for calligra in precise.

Changed in wv2 (Ubuntu Precise):
importance: Undecided → High
status: New → Confirmed
Changed in calligra (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Critical → Medium
Changed in koffice (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in koffice (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: Invalid → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calligra - 1:2.4.0-0ubuntu2.1

---------------
calligra (1:2.4.0-0ubuntu2.1) precise-security; urgency=high

  * SECURITY UPDATE:
  * References See patch header
  * Add debian/patches/wv2_buffer_overflow_fix.diff to fix buffer overflow in
    embedded copy of wv2 MS Word filter (LP: #1032934)
 -- Scott Kitterman <email address hidden> Sat, 04 Aug 2012 05:12:38 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package koffice - 1:2.3.3-0ubuntu6.1

---------------
koffice (1:2.3.3-0ubuntu6.1) oneiric-security; urgency=low

  * SECURITY UPDATE: possible arbitrary code execution via malformed Word
    document (LP: #1032934)
    - debian/patches/wv2_buffer_overflow_fix.diff: don't overflow grupx in
      filters/kword/msword-odf/wv2/src/styles.cpp.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Mon, 06 Aug 2012 12:37:06 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package koffice - 1:2.3.3-0ubuntu4.1

---------------
koffice (1:2.3.3-0ubuntu4.1) natty-security; urgency=low

  * SECURITY UPDATE: possible arbitrary code execution via malformed Word
    document (LP: #1032934)
    - debian/patches/wv2_buffer_overflow_fix.diff: don't overflow grupx in
      filters/kword/msword-odf/wv2/src/styles.cpp.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Mon, 06 Aug 2012 10:55:34 -0400

Changed in calligra (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in koffice (Ubuntu Natty):
status: New → Fix Released
Changed in koffice (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in koffice (Ubuntu Lucid):
status: New → Incomplete
Changed in koffice (Ubuntu Precise):
status: Confirmed → Invalid
Tyler Hicks (tyhicks)
Changed in wv2 (Ubuntu Lucid):
status: New → Incomplete
Changed in wv2 (Ubuntu Natty):
status: New → Incomplete
Changed in wv2 (Ubuntu Oneiric):
status: New → Incomplete
Changed in wv2 (Ubuntu Precise):
status: Confirmed → Incomplete
Changed in wv2 (Ubuntu Quantal):
status: New → Incomplete
Revision history for this message
Steve Beattie (sbeattie) wrote :

I don't see any tasks ready for the ubuntu-security-sponsors team, unsubscribing that team from the bug report.

Revision history for this message
Micah Gersten (micahg) wrote :

This was fixed in 0.4.2.dfsg.1-9.1

Changed in wv2 (Ubuntu Quantal):
status: Incomplete → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against natty is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in calligra (Ubuntu):
status: Fix Released → Invalid
Changed in wv2 (Ubuntu):
status: Fix Released → Invalid
Changed in koffice (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in wv2 (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in koffice (Ubuntu Natty):
status: Fix Released → Invalid
Changed in wv2 (Ubuntu Natty):
status: Incomplete → Invalid
Changed in koffice (Ubuntu Oneiric):
status: Fix Released → Invalid
Changed in wv2 (Ubuntu Oneiric):
status: Incomplete → Invalid
Changed in calligra (Ubuntu Precise):
status: Fix Released → Invalid
Changed in wv2 (Ubuntu Precise):
status: Incomplete → Invalid
Changed in calligra (Ubuntu Quantal):
status: Fix Released → Invalid
Changed in wv2 (Ubuntu Quantal):
status: Fix Released → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers