oss-sec mailing list archives
CVE Request (minor) -- LibreOffice (X >= v3.5.0): DoS (excessive CPU use) in the RTF tokenizer
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 19 Apr 2012 14:14:47 +0200
Hello Kurt, Steve, vendors, a denial of service flaw was found in the way the LibreOffice RTF Tokenizer used to resolve certain keywords being present in the Rich Text Format (RTF) document. A remote attacker could provide a specially-crafted RTF file, which once opened by a local, unsuspecting LibreOffice tools suite user would lead to excessive CPU usage by the tool used for opening that file. Upstream bug report: [1] https://bugs.freedesktop.org/show_bug.cgi?id=48640 Upstream patch (against 3.5 branch):[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=51c8c95b2864b49e7bcbd824eacedb5778a758c0&g=libreoffice-3-5
References:[3] http://didasec.wordpress.com/2012/04/16/libreoffice-3-5-2-2-soffice-exesoffice-bin-memory-corruption/
[4] http://shinnai.altervista.org/exploits/SH-016-20120416.html [5] http://seclists.org/fulldisclosure/2012/Apr/201 [6] https://bugzilla.redhat.com/show_bug.cgi?id=814223 From investigation of the reproducers provided at: [7] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c0 ('Crash PoC') the particular error message: terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Program received signal SIGABRT, Aborted. 0X00111416 in __kernel_vsyscall () seems to be just standard C++ (STL) error message / exception, that the requested memory allocation failed. From my investigation the relevant process termination in this case is safe from security point of view (standard way how C++ handles memory allocation failures). Though Caolán , Miklos or LibreOffice upstream can clarify further if this should be considered to be a security flaw (due to internal implementation details I am not aware of and might lead to memory corruption announced at [7]). But as noted earlier, I don't think this is a security flaw, which should get a CVE identifier. [8] https://bugs.freedesktop.org/show_bug.cgi?id=48640#c1 ('DoS PoC') This one (on LibreOffice >= v.3.5.0 using the new RTF tokenizer implementation) truly leads to denial of service (excessive CPU consumption and hang) while trying to process that RTF file. So this case might be applicable for CVE-2012-* identifier assignment. Kurt, if LibreOffice upstream approves, could you allocate CVE id for the 'RTF Tokenizer resolve keyword DoS / CPU usage issue' [8] ? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request (minor) -- LibreOffice (X >= v3.5.0): DoS (excessive CPU use) in the RTF tokenizer Jan Lieskovsky (Apr 19)