CESA-2005-004 - rev 2

Abiword RTF import stack-based buffer overflow
==============================================

Programs affected: Abiword, possibly unpatched MacOSX, others?
Severity: Arbitrary code execution.
Discovered date: Forgotten
Vendor notified date: Sep 22nd 2005
Vendor fixed date: Sep 25th 2005
Fixed: Abiword 2.2.10
CAN identifier(s): CAN-2005-2964

Demo RTF: http://scary.beasts.org/misc/out153.rtf
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2)

rpm -q abiword
abiword-2.2.9-2.fc4

Resultant stack trace includes 0x41414141 (AAAA) on the stack:

(gdb) bt
#0  0x00fea976 in fread () from /lib/libc.so.6
#1  0x081d1d3d in IE_Imp_RTF::ReadCharFromFileWithCRLF ()
#2  0x081d1da4 in IE_Imp_RTF::ReadCharFromFile ()
#3  0x081dd106 in IE_Imp_RTF::ReadOneFontFromTable ()
#4  0x41414141 in ?? ()

CESA-2005-004 - rev 2
Chris Evans
scarybeasts@gmail.com