910806 – (CVE-2014-8147) VUL-1: CVE-2014-8147: libreoffice: integer overflow

Bug 910806 (CVE-2014-8147) - VUL-1: CVE-2014-8147: libreoffice: integer overflow

Summary: VUL-1: CVE-2014-8147: libreoffice: integer overflow

Status:	RESOLVED FIXED

Alias:	CVE-2014-8147

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-04-08
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:61296:moderate CVSSv2:R...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-12-19 11:16 UTC by Alexander Bergmann
Modified:	2016-07-01 14:12 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-12-19 11:16:26 UTC

(Steven and Caolan apologies for sending two emails, I forgot the anti
spam tag in the subject for the distros mailing list)

Hi,

I have two files that cause suspicious crashes in ICU. These are
LibreOffice Calc (*.xls) files. I'm attaching them in zipped format.

These two proof of concept files seem to trigger similar crashes in
ICU via Libreoffice. One is a integer overflow and the other a heap
overflow.
Tested versions:
Libreoffice 4.3.3.2 with ICU 53 on Windows (let's call it target 1)
Libreoffice 4.4.0-beta2 with ICU 52 on Debian testing (target 2)
Libreoffice 4.3.4 with ICU 54 on Arch (target 3)

I wasn't able to trigger any crashes with these on target 3, so it's
likely that the heap overflow is fixed. However the integer overflow
is still there as it can be seen in the code.

>> Notes on fuzzed-18-95-602621340.xls:
fuzzed-18-95-602621340.xls doesn't seem to crash target 1, but it
crashes target 2.
Calc crashes with a SIGSEGV on free caused by an invalid pointer. The
backtrace can be seen in [1] but this only shows when the actual
blowup happens.
The integer overflow can be traced to a call in resolveImplicitLevels
in the ICU library (itself called from ubidi_setPara which is called
in core/editeng/source/editeng/impedit2.cxx:1895). With the proof of
concept file, the overflow happens on the 18th call to ubidi_setPara.

Integer overflow in resolveImplicitLevels (ubidi.c:2248):

        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;

pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on
pBiDi->insertPoints->points because insertPoints is adjacent in memory
to isolates[].

The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
    int32_t startON;
    int32_t start1;
    int16_t stateImp;
    int16_t state;
} Isolate;

LevState is defined in ubidi.c:1748
typedef struct {
    const ImpTab * pImpTab;             /* level table pointer          */
    const ImpAct * pImpAct;             /* action map array             */
    int32_t startON;                    /* start of ON sequence         */
    int32_t startL2EN;                  /* start of level 2 sequence    */
    int32_t lastStrongRTL;              /* index of last found R or AL  */
    int32_t state;                      /* current state                */
    int32_t runStart;                   /* start position of the run    */
    UBiDiLevel runLevel;                /* run level before implicit solving */
} LevState;

My view on this is that it is hard to exploit (as all integer
overflows are), but might be possible to do so - I'm won't put my
hands in the fire and say no. No guarantees on this one.

Comment 1 Alexander Bergmann 2014-12-19 11:18:29 UTC

Created attachment 617994 [details]
XLS reproducer files.

Comment 2 Alexander Bergmann 2014-12-19 11:18:52 UTC

CVE-2014-8147 was assigned to this issue.

Comment 3 Swamp Workflow Management 2014-12-19 23:00:44 UTC

bugbot adjusting priority

Comment 4 Swamp Workflow Management 2015-03-25 09:51:51 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61296

Comment 5 Johannes Segitz 2015-06-25 11:20:31 UTC

is public

Comment 6 Bernhard Wiedemann 2015-09-21 11:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/332554 Factory / libreoffice

Comment 7 Bernhard Wiedemann 2015-10-16 09:00:19 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/339209 Factory / libreoffice

Comment 8 Swamp Workflow Management 2015-11-05 08:15:03 UTC

SUSE-SU-2015:1915-1: An update that solves 7 vulnerabilities and has 16 fixes is now available.

Category: security (moderate)
Bug References: 470073,806250,829430,890735,900186,900877,907966,910805,910806,913042,914911,915996,916181,918852,919409,926375,929793,934423,936188,936190,940838,943075,945692
CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2015-1774,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    apache-commons-logging-1.1.3-7.1, cmis-client-0.5.0-5.1, flute-1.3.0-4.2, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libbase-1.1.3-4.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfonts-1.1.3-4.9, libformula-1.1.3-4.3, libfreehand-0.1.1-4.9, libgltf-0.0.1-2.1, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, liblayout-0.2.10-4.8, libloader-1.1.3-3.2, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, libpagemaker-0.0.2-2.3, libreoffice-5.0.2.2-13.14, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-6.3, librepository-1.1.3-4.3, librevenge-0.0.2-4.1, libserializer-1.1.2-4.3, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2, myspell-dictionaries-20150827-5.1, pentaho-libxml-1.1.3-4.3, pentaho-reporting-flow-engine-0.9.4-4.5, sac-1.3-4.1
SUSE Linux Enterprise Software Development Kit 12 (src):    cmis-client-0.5.0-5.1, graphite2-1.3.1-3.1, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfreehand-0.1.1-4.9, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, librevenge-0.0.2-4.1, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2
SUSE Linux Enterprise Server 12 (src):    apache-commons-logging-1.1.3-7.1, graphite2-1.3.1-3.1
SUSE Linux Enterprise Desktop 12 (src):    apache-commons-logging-1.1.3-7.1, cmis-client-0.5.0-5.1, flute-1.3.0-4.2, graphite2-1.3.1-3.1, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libbase-1.1.3-4.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfonts-1.1.3-4.9, libformula-1.1.3-4.3, libfreehand-0.1.1-4.9, libgltf-0.0.1-2.1, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, liblayout-0.2.10-4.8, libloader-1.1.3-3.2, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, libpagemaker-0.0.2-2.3, libreoffice-5.0.2.2-13.14, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-6.3, librepository-1.1.3-4.3, librevenge-0.0.2-4.1, libserializer-1.1.2-4.3, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2, myspell-dictionaries-20150827-5.1, pentaho-libxml-1.1.3-4.3, pentaho-reporting-flow-engine-0.9.4-4.5, sac-1.3-4.1

Comment 9 Bernhard Wiedemann 2015-11-05 10:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/342524 Factory / libreoffice

Comment 10 Bernhard Wiedemann 2015-11-09 21:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/343268 Factory / libreoffice

Comment 11 Bernhard Wiedemann 2015-11-10 13:00:27 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/343412 Leap:42.1 / libreoffice

Comment 12 Bernhard Wiedemann 2015-11-11 14:00:31 UTC

This is an autogenerated message for OBS integration:
This bug (910806) was mentioned in
https://build.opensuse.org/request/show/343845 Leap:42.1 / libreoffice.1176.openSUSE_Leap_42.1_Update

Comment 13 Swamp Workflow Management 2016-02-03 16:14:47 UTC

SUSE-SU-2016:0324-1: An update that solves 7 vulnerabilities and has 19 fixes is now available.

Category: security (moderate)
Bug References: 306333,547549,668145,679938,681560,688200,718113,806250,857026,889755,890735,907636,907966,910805,910806,914911,934423,936188,936190,939996,940838,943075,945047,945692,951579,954345
CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2014-9093,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    google-carlito-fonts-1.1.03.beta1-2.1, hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-2.26, libvoikko-3.7.1-5.2, myspell-dictionaries-20150827-23.1, mythes-1.2.4-2.1, python-importlib-1.0.2-0.8.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    google-carlito-fonts-1.1.03.beta1-2.1, hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-2.26, libvoikko-3.7.1-5.2, myspell-dictionaries-20150827-23.1, mythes-1.2.4-2.1, python-importlib-1.0.2-0.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libvoikko-3.7.1-5.2, mythes-1.2.4-2.1

Comment 14 Marcus Meissner 2016-02-10 07:32:55 UTC

released

Comment 15 Swamp Workflow Management 2016-02-26 00:13:33 UTC

openSUSE-SU-2016:0588-1: An update that solves 9 vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 679938,829430,889755,897903,900186,900214,900218,907636,910805,910806,915996,916181,926375,929793,934423,936188,936190,939996,940838,943075,945047,945692,951579,954345
CVE References: CVE-2014-3693,CVE-2014-8146,CVE-2014-8147,CVE-2014-9093,CVE-2015-4551,CVE-2015-45513,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
openSUSE 13.2 (src):    cmis-client-0.5.0-4.3.2, libetonyek-0.1.3-2.3.2, libmwaw-0.3.6-2.7.2, libodfgen-0.1.4-2.3.2, libpagemaker-0.0.2-2.2, libreoffice-5.0.4.2-28.1, libreoffice-share-linker-1-2.2, libwps-0.4.1-2.4.2, mdds-0.12.1-2.4.2