Package: unrtf / 0.21.5-3+deb8u1

Metadata

Package Version Patches format
unrtf 0.21.5-3+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 check that accesses to color table stay within bound.patch | (download)

src/convert.c | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 check that accesses to color table stay within bounds,
 esp that the color number is positive. This fixes {\cb-999} crashing
 unrtf

This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15

0002 Need to process word chars as unsigned. Else char wi.patch | (download)

src/hash.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 need to process word chars as unsigned. else char with hi bit set
 can crash program

Partially fixes CVE-2014-9275, according to
https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html

0003 Fix a number of possible crashes caused by a bad for.patch | (download)

src/convert.c | 28 17 + 11 - 0 !
1 file changed, 17 insertions(+), 11 deletions(-)

 fix a number of possible crashes caused by a bad format causing
 word_string() to return NULL

Second fix for CVE-2014-9275, according to
https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html

0004 attrstack_drop Properly drop the last stack element.patch | (download)

src/attr.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 attrstack_drop(): properly drop the last stack element

Previously stack_of_stacks_top would point to free'd memory,
resulting in:

==38960== Invalid read of size 4
==38960==    at 0x402853: attr_get_param (attr.c:355)
==38960==    by 0x40818A: word_print_core (convert.c:3412)
==38960==    by 0x406DBC: word_print (convert.c:3451)
==38960==    by 0x40CA27: main (main.c:267)
==38960==  Address 0x1e065e0 is 90,000 bytes inside a block of size 90,016 free'd
==38960==    at 0x1068498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==38960==    by 0x40CBD3: my_free (malloc.c:91)
==38960==    by 0x402E8C: attrstack_drop (attr.c:582)
==38960==    by 0x40812F: word_print_core (convert.c:3403)
==38960==    by 0x406DBC: word_print (convert.c:3451)
==38960==    by 0x40CA27: main (main.c:267)
==38960==

0005 attr_get_param Silence a warning message again.patch | (download)

src/attr.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 attr_get_param(): silence a warning message again

attr_get_param(ATTR_ENCODING) is always called once without a stack
being available, but previously the use-after-free prevented the
warning.

0006 Limit depth of group embedding.patch | (download)

src/convert.c | 10 7 + 3 - 0 !
src/main.c | 2 1 + 1 - 0 !
src/word.c | 9 7 + 2 - 0 !
src/word.h | 6 5 + 1 - 0 !
4 files changed, 20 insertions(+), 7 deletions(-)

 limit depth of group embedding
 Limit depth of group embedding to guard against malicious files with
 thousands of consecutive {
0007 Improved image file handling.patch | (download)

src/convert.c | 49 47 + 2 - 0 !
1 file changed, 47 insertions(+), 2 deletions(-)

 improved image file handling
 Improved code for creation of image files when RTF files containing
 images processed
0008 Better processing of pict including addition of EMF type.patch | (download)

src/convert.c | 71 58 + 13 - 0 !
1 file changed, 58 insertions(+), 13 deletions(-)

 better processing of \pict including addition of emf type
 Fixes "unrtf 0.21 outputs hex.junk to stdout".
0009 Replace all instances of sprintf with snprintf and a.patch | (download)

src/attr.c | 4 2 + 2 - 0 !
src/convert.c | 28 14 + 14 - 0 !
src/output.c | 4 2 + 2 - 0 !
3 files changed, 18 insertions(+), 18 deletions(-)

 replace all instances of sprintf with snprintf and adjust size of
 integer field in some cases

This fixes CVE-2016-10091

Bug-Debian: https://bugs.debian.org/849705