Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFOKM3r5geYXHitFzrY7PjVcRGvdUS_XOsiCSHaubM9z+cYL3A@mail.gmail.com>
Date: Fri, 13 Mar 2015 12:23:09 -0700
From: Dean Pierce <pierce403@...il.com>
To: oss-security@...ts.openwall.com
Subject: catdoc has bugs

"catdoc" is a command line tool for extracting readable text from
Microsoft office documents.  It is used by the command "less" when
opening a .doc file, and if it's not installed, less will ask you to
install it.  It's also listed as a forensics tool on certain websites.
Catdoc has bugs.

The attached* word documents were generated with American Fuzzy Lop.
The first attached tarball contains 35 somewhat analyzed sample
crashes.  I've also included the raw crash samples with 27 additional
crashes that were generated between the initial disclosure time and
right now.  AFL identified them as unique issues (presumably different
code paths) though the offending code seems to be in the following
places:

substmap.c:151 (crash)
numutils.c:22 (some crash, some trigger ASAN)
ole.c:108 (ASAN)
ole.c:315 (ASAN)

The ASAN crashes indicate memory corruptions, but there are some solid
segfaults in substmap.c and numultils.c.  The crashes seem to be read
violations, so non-trivial to exploit, and since DoS and memory
disclosures aren't super interesting for document parers, it's
unlikely that any of these deserve a CVE.

There are likely more bugs, and catdoc also includes a ppt parser and
an xls parser.

* The attachments were too big (>200k), so I made this website instead
: https://catdocbugs.neocities.org/

  - DEAN

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.