漏洞信息详情

LibWPD库多个缓冲区溢出漏洞

• CNNVD编号：CNNVD-200703-391
• 危害等级： 中危
  
• CVE编号： CVE-2007-0002
• 漏洞类型： 缓冲区溢出
• 发布时间： 2007-03-16
• 威胁类型： 远程
• 更新时间： 2009-05-28
• 厂        商： libwpd
• 漏洞来源： Sean Larsson

漏洞简介

libwpd是一个用于读取和转换Word Perfect文档的函数库。 libwpd处理畸形文档中的字段值时存在漏洞，远程攻击者可能利用这些漏洞通过诱使用户打开恶意文档执行控制用户机器。 libwpd的WP6GeneralTextPacket：：_readContents函数从用户提供的文档中读取一系列的整数值并求和，然后使用得到的和从堆中分配内存块，最后将上述加法得到的运算数用作拷贝的字节数，将文件中的数据拷贝到缓冲区。求和操作可能导致整数溢出，在拷贝操作中溢出缓冲区。 WP3TablesGroup：：_readContents()和WP5DefinitionGroup_DefineTablesSubGroup：：WP5DefinitionGroup_DefineTablesSubGroup()函数中存在另外两个缓冲区溢出。这些函数从攻击者提供的文件中读取整数值并将其用作了循环计数器，在循环中文件中的任意数据会充满静态大小的缓冲区，这可能导致堆溢出。

漏洞公告

厂商补丁： Debian ------ Debian已经为此发布了一个安全公告(DSA-1268-1)以及相应补丁:

DSA-1268-1：New libwpd packages fix arbitrary code execution

链接： http://www.debian.org/security/2007/dsa-1268

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1-1sarge1.dsc

Size/MD5 checksum: 771 3f766aab2c2c0ff76feb561e51e17350

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1-1sarge1.diff.gz

Size/MD5 checksum: 12523 9cd210c306a22900d77afbc3e62b3557

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd_0.8.1.orig.tar.gz

Size/MD5 checksum: 487187 75eabcc479c23461715ee58813c4b9b5

Architecture independent components:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-doc_0.8.1-1sarge1_all.deb

Size/MD5 checksum: 523184 0c9bfe4ac1b79688d408b1685246138e

Alpha architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_alpha.deb

Size/MD5 checksum: 10200 8457ae23ea4638ecbf774198676e62b6

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_alpha.deb

Size/MD5 checksum: 25800 94c9d4fd23fdac66ddf368e74761690e

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_alpha.deb

Size/MD5 checksum: 148594 8af570673eddd1d436eb0befb40b5ef9

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_alpha.deb

Size/MD5 checksum: 286542 b7aae6d0dc6f3f3618e2613d3136c456

AMD64 architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_amd64.deb

Size/MD5 checksum: 9998 076ff186f2150afd40318ac9b0764cfe

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_amd64.deb

Size/MD5 checksum: 24214 1c75a6141ca3e9b5c9247cad1994a814

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_amd64.deb

Size/MD5 checksum: 137528 c804cc0ebc56eae0b4af35aac2b8dce2

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_amd64.deb

Size/MD5 checksum: 231074 785d0bbf7fc34e7a592843145d55520f

ARM architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_arm.deb

Size/MD5 checksum: 9872 502b16e468b369c865f68036651f25c8

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_arm.deb

Size/MD5 checksum: 21736 3c8862d95e911fa3e96527def67271a9

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_arm.deb

Size/MD5 checksum: 134440 cae03d0c40607eb2e09abe3a7aafdc9f

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_arm.deb

Size/MD5 checksum: 233142 9c9bf1780e7337a6e3c68ed2fcecf052

HP Precision architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_hppa.deb

Size/MD5 checksum: 11058 cc181a60e7d528ca531b2967bebd29ff

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_hppa.deb

Size/MD5 checksum: 29762 236721a143d8514e1d961c1570664a0f

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_hppa.deb

Size/MD5 checksum: 174812 9531c09294d4450e77dc0052a5b6cb04

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_hppa.deb

Size/MD5 checksum: 279294 ff3c8c3de9a022800ded706689ec8836

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_i386.deb

Size/MD5 checksum: 10026 00485b49a64aae9ed740c9e96950ac8d

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_i386.deb

Size/MD5 checksum: 22270 0aaf3a1bb22e2f36b0453427624f8969

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8_0.8.1-1sarge1_i386.deb

Size/MD5 checksum: 136908 7d292c35afaf60afed2e48bb4d9ee868

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd8-dev_0.8.1-1sarge1_i386.deb

Size/MD5 checksum: 207326 d17cc1d4c5d1037101406d779c356d98

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-stream8_0.8.1-1sarge1_ia64.deb

Size/MD5 checksum: 10740 0d4bf0491e1381445d32d6bd160d8027

http://security.debian.org/pool/updates/main/libw/libwpd/libwpd-tools_0.8.1-1sarge1_ia64.deb

Size/MD5 checksum: 27462 b843522c4ae730396105e1e9767892ff

http://security.debi

参考网址

来源: UBUNTU 名称: USN-437-1 链接:http://www.ubuntu.com/usn/usn-437-1 来源: SECTRACK 名称: 1017789 链接:http://www.securitytracker.com/id?1017789 来源: BID 名称: 23006 链接:http://www.securityfocus.com/bid/23006 来源: BUGTRAQ 名称: 20070316 rPSA-2007-0057-1 libwpd 链接:http://www.securityfocus.com/archive/1/archive/1/463033/100/0/threaded 来源: REDHAT 名称: RHSA-2007:0055 链接:http://www.redhat.com/support/errata/RHSA-2007-0055.HTML 来源: MANDRIVA 名称: MDKSA-2007:064 链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:064 来源: MANDRIVA 名称: MDKSA-2007:063 链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:063 来源: GENTOO 名称: GLSA-200704-12 链接:http://www.gentoo.org/security/en/glsa/glsa-200704-12.xml 来源: VUPEN 名称: ADV-2007-1339 链接:http://www.frsirt.com/english/advisories/2007/1339 来源: VUPEN 名称: ADV-2007-1032 链接:http://www.frsirt.com/english/advisories/2007/1032 来源: VUPEN 名称: ADV-2007-0976 链接:http://www.frsirt.com/english/advisories/2007/0976 来源: DEBIAN 名称: DSA-1270 链接:http://www.debian.org/security/2007/dsa-1270 来源: DEBIAN 名称: DSA-1268 链接:http://www.debian.org/security/2007/dsa-1268 来源: SUNALERT 名称: 102863 链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102863-1 来源: sourceforge.net 链接:http://sourceforge.net/project/shownotes.php?release_id=494122 来源: SLACKWARE 名称: SSA-2007-085-02 链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.399659 来源: GENTOO 名称: GLSA-200704-07 链接:http://security.gentoo.org/glsa/glsa-200704-07.xml 来源: SECUNIA 名称: 24906 链接:http://secunia.com/advisories/24906 来源: SECUNIA 名称: 24856 链接:http://secunia.com/advisories/24856 来源: SECUNIA 名称: 24794 链接:http://secunia.com/advisories/24794 来源: SECUNIA 名称: 24613 链接:http://secunia.com/advisories/24613 来源: SECUNIA 名称: 24593 链接:http://secunia.com/advisories/24593 来源: SECUNIA 名称: 24591 链接:http://secunia.com/advisories/24591 来源: SECUNIA 名称: 24588 链接:http://secunia.com/advisories/24588 来源: SECUNIA 名称: 24581 链接:http://secunia.com/advisories/24581 来源: SECUNIA 名称: 24580 链接:http://secunia.com/advisories/24580 来源: SECUNIA 名称: 24573 链接:http://secunia.com/advisories/24573 来源: SECUNIA 名称: 24572 链接:http://secunia.com/advisories/24572 来源: SECUNIA 名称: 24557 链接:http://secunia.com/advisories/24557 来源: SECUNIA 名称: 24507 链接:http://secunia.com/advisories/24507 来源: SECUNIA 名称: 24465 链接:http://secunia.com/advisories/24465 来源: SUSE 名称: SUSE-SA:2007:023 链接:http://lists.suse.com/archive/suse-security-announce/2007-Mar/0007.HTML 来源: IDEFENSE 名称: 20070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities 链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=490 来源: MANDRIVA 名称: MDKSA-2007:064 链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:064 来源: MANDRIVA 名称: MDKSA-2007:063 链接:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:063 来源: FEDORA 名称: FEDORA-2007-350 链接:http://fedoranews.org/CMS/node/2805

受影响实体

• Libwpd Libwpd_library:0.8.8  
• Libwpd Libwpd_library:0.8.2  
• Libwpd Libwpd_library:0.8.6  
• Libwpd Libwpd_library:0.8.7  

补丁

暂无