Package: unrtf / 0.21.5-3+deb8u1
Metadata
Package | Version | Patches format |
---|---|---|
unrtf | 0.21.5-3+deb8u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 check that accesses to color table stay within bound.patch | (download) |
src/convert.c |
9 6 + 3 - 0 ! |
check that accesses to color table stay within bounds, esp that the color number is positive. This fixes {\cb-999} crashing unrtf This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15 |
0002 Need to process word chars as unsigned. Else char wi.patch | (download) |
src/hash.c |
4 2 + 2 - 0 ! |
need to process word chars as unsigned. else char with hi bit set can crash program Partially fixes CVE-2014-9275, according to https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html |
0003 Fix a number of possible crashes caused by a bad for.patch | (download) |
src/convert.c |
28 17 + 11 - 0 ! |
fix a number of possible crashes caused by a bad format causing word_string() to return NULL Second fix for CVE-2014-9275, according to https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html |
0004 attrstack_drop Properly drop the last stack element.patch | (download) |
src/attr.c |
2 1 + 1 - 0 ! |
attrstack_drop(): properly drop the last stack element Previously stack_of_stacks_top would point to free'd memory, resulting in: ==38960== Invalid read of size 4 ==38960== at 0x402853: attr_get_param (attr.c:355) ==38960== by 0x40818A: word_print_core (convert.c:3412) ==38960== by 0x406DBC: word_print (convert.c:3451) ==38960== by 0x40CA27: main (main.c:267) ==38960== Address 0x1e065e0 is 90,000 bytes inside a block of size 90,016 free'd ==38960== at 0x1068498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==38960== by 0x40CBD3: my_free (malloc.c:91) ==38960== by 0x402E8C: attrstack_drop (attr.c:582) ==38960== by 0x40812F: word_print_core (convert.c:3403) ==38960== by 0x406DBC: word_print (convert.c:3451) ==38960== by 0x40CA27: main (main.c:267) ==38960== |
0005 attr_get_param Silence a warning message again.patch | (download) |
src/attr.c |
10 8 + 2 - 0 ! |
attr_get_param(): silence a warning message again attr_get_param(ATTR_ENCODING) is always called once without a stack being available, but previously the use-after-free prevented the warning. |
0006 Limit depth of group embedding.patch | (download) |
src/convert.c |
10 7 + 3 - 0 ! |
limit depth of group embedding Limit depth of group embedding to guard against malicious files with thousands of consecutive { |
0007 Improved image file handling.patch | (download) |
src/convert.c |
49 47 + 2 - 0 ! |
improved image file handling Improved code for creation of image files when RTF files containing images processed |
0008 Better processing of pict including addition of EMF type.patch | (download) |
src/convert.c |
71 58 + 13 - 0 ! |
better processing of \pict including addition of emf type Fixes "unrtf 0.21 outputs hex.junk to stdout". |
0009 Replace all instances of sprintf with snprintf and a.patch | (download) |
src/attr.c |
4 2 + 2 - 0 ! |
replace all instances of sprintf with snprintf and adjust size of integer field in some cases This fixes CVE-2016-10091 Bug-Debian: https://bugs.debian.org/849705 |