Bug 1178784

Summary: VUL-0: CVE-2017-18926: raptor: Widely unfixed raptor issue affecting libreoffice
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Dirk Mueller <dmueller>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dmueller, meissner, rfrohl, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/271219/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2020-11-13 16:26:32 UTC 
+++ This bug was initially created as a clone of Bug #1178593 +++

distros:
----
Hello,

This is not strictly a new vulnerability, but given it is probably
surprising that a 3 year vuln is unfixed I consider it reasonable to
give some warning ahead to distros.

3 years ago I reported a heap overflow vulnin raptor, an RDF parsing
library:
https://www.openwall.com/lists/oss-security/2017/06/07/1

raptor appears to be dead, last release is from 2014.

The most prominent user seems to be libreoffice. This is triggerable
from within an ODT file. Back then I reported this to libreoffice as
well and they patched it in their builds. However on linux systems
libreoffice package usually use the system-provided libraptor, so if
that's not patched it is vulnerable.

I verified that this is unpatched in Debian+Ubuntu. It is patched in
Gentoo. I have not checked other distros. I recommend using the patch
linked in above post.

It may be interesting to discuss how this happened. From my side I feel
I did what I should do - I reported it to the project and later
disclosed it publicly on oss-security. Apparently it seems there is no
reliable process to make sure publicly reported vulns eventually get
patched in distros if there is no active upstream.
Maybe noteworthy is that this didn't get a CVE in 2017. It seems many
distros rely on CVEs to get a process of backporting fixes rolling.
Given the fluctuating reliability of CVE assignments not sure this is
wise. I have now requested a CVE and mitre was fast (CVE-2017-18926).


Here is a minimal reproducer embedded in an ODT file:
UEsDBBQAAgAIAIqMZlHHyBrQfgAAAKUAAAAMABwAbWFuaWZlc3QucmRmVVQJAAOEe6VfEXylX3V4
CwABBOgDAAAE6AMAAE3NQQ7CIBCF4as0uKYoriC0q8YDGC9A6qhNWpjMYKC3tzSauP3zvTxH94e9
DpemLHNgC6UTr5TRKpVzbqH4BWdoIz1V4IP4qm1TWfqxfN7FyRijjlppLTcheQ3JF1l3vas3A/BI
E6Ypht5BsdjUip4YbitCJ8RfJuD4pnGvH1BLAwQKAAAAAABhX2ZRAAAAAAAAAAAAAAAACQAcAE1F
VEEtSU5GL1VUCQADdSylXxF8pV91eAsAAQToAwAABOgDAABQSwMEFAACAAgAC41mUbMm7RFxAAAA
9AAAABUAHABNRVRBLUlORi9tYW5pZmVzdC54bWxVVAkAA3V8pV9hfKVfdXgLAAEE6AMAAAToAwAA
jY/BCoQwDER/Zel1aXsX3X8JNsVAmgYbF/179eB62Iu34THMY/oCQhmbdVf49D+UidGj2Ly9brYw
ewWbBhfdjQsmAm+b4uBAlWkEoyrxKylUaNRCVZRUx6Ucg8FwNRefqy4W5pQfWI/Wey18GuL/wR1Q
SwECHgMUAAIACACKjGZRx8ga0H4AAAClAAAADAAYAAAAAAABAAAApIEAAAAAbWFuaWZlc3QucmRm
VVQFAAOEe6VfdXgLAAEE6AMAAAToAwAAUEsBAh4DCgAAAAAAYV9mUQAAAAAAAAAAAAAAAAkAGAAA
AAAAAAAQAO1BxAAAAE1FVEEtSU5GL1VUBQADdSylX3V4CwABBOgDAAAE6AMAAFBLAQIeAxQAAgAI
AAuNZlGzJu0RcQAAAPQAAAAVABgAAAAAAAEAAACkgQcBAABNRVRBLUlORi9tYW5pZmVzdC54bWxV
VAUAA3V8pV91eAsAAQToAwAABOgDAABQSwUGAAAAAAMAAwD8AAAAxwEAAAAA

I get an
malloc(): invalid size (unsorted)
message, which I believe indicates this successfully triggers a heap
corruption.
Comment 1 Dirk Mueller 2020-11-13 18:58:33 UTC 
whats the reason for this duplicate bugreport? I already submitted it under bug 1178593..

*** This bug has been marked as a duplicate of bug 1178593 ***
Comment 2 Marcus Meissner 2020-11-14 07:37:24 UTC 
It was not obivous that you submitted raptor in that bugreport already.