CESA-2005-006 - rev 1

Additional Abiword RTF import stack-based buffer overflows
==========================================================

Programs affected: Abiword
Severity: Arbitrary code execution.
Discovered date: 
Vendor notified date: Oct 2nd 2005
Vendor fixed date: Oct 13th 2005
Fixed: Abiword 2.2.11, 2.4.1
CAN identifier(s): CAN-2005-2972

Demo RTFs: http://scary.beasts.org/misc/abi1.rtf
           http://scary.beasts.org/misc/abi2.rtf

From a brief code review of 2.2.10:

(All in ie_imp_RTF.cpp).

1) ParseLevelText, line 411 - apparent overflow of stack-based buffer
iLevelText.

2) getCharsInsideBrace, line 6967 - apparent overflow of static buffer keyword.

3) HandleLists, line 8221 - overflow.

4) HandleLists, line 8224, 8228 - apparent overflows.

5) HandleAbiLists, line 8979 - overflow.

6) HandleAbiLists - various lines. Additional similarly coded
overflows to item 5).

7) HandleAbiLists, line 8984 - apparent overflow.

8) HandleAbiLists - various lines. Additional similarly coded
overflows to item 7).


CESA-2005-006 - rev 1
Chris Evans
scarybeasts@gmail.com