CESA-2005-005 - rev 2

KWord RTF import heap corruption
================================

Programs affected: KWord
Severity: Possible arbitrary code execution.
Discovered date: Forgotten
Vendor notified date: Sep 22nd 2005
Vendor fixed date: Oct 12th 2005
Fixed: KWord-1.4.2
CAN identifier(s): CAN-2005-2971

A malicious RTF can cause heap corruption in KWord.

Demo RTF: http://scary.beasts.org/misc/out27.rtf
(Simple RTF fuzz test suite at http://scary.beasts.org/misc/badrtfs.tar.bz2)

rpm -q koffice-kword
koffice-kword-1.4.1-4.fc4

Resultant stack trace:

(gdb) bt
#0  0x06d0706c in _int_malloc () from /lib/libc.so.6
#1  0x06d08492 in malloc () from /lib/libc.so.6
#2  0x06aaef56 in operator new () from /usr/lib/libstdc++.so.6
#3  0x06aaf06d in operator new[] () from /usr/lib/libstdc++.so.6
#4  0x012d18b9 in QString::setLength () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#5  0x012d1a28 in QString::grow () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#6  0x012d8143 in QString::operator+= () from /usr/lib/qt-3.3/lib/libqt-mt.so.3
#7  0x007466f9 in RTFImport::convert () from /usr/lib/kde3/librtfimport.so

CESA-2005-005 - rev 2
Chris Evans
scarybeasts@gmail.com