Heap-based buffer overflow in the read function in filters/words/msword-odf/wv2/src/styles.cpp in the Microsoft import filter in KOffice 2.3.3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted ODF style in an ODF document. NOTE: this is the same vulnerability as CVE-2012-3456, but it was SPLIT by the CNA even though Calligra and KOffice share the same codebase.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 06 Aug 2012 13:07:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Charlie Miller <charlie.miller@...uvant.com>,
        "Jorge Manuel B. S. Vicetto" <jmbsvicetto@...il.com>
Subject: Re: CVE request for Calligra

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2012 05:27 PM, Charlie Miller wrote:
> Hi Kurt.
> 
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my
> system.  I didn't know what library it was in (I'd never even heard
> of Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff
> sorted out, so I just report it to the vendor and let them deal
> with these issues.  In that spirit, I reported to Nokia early last
> month.  As for your questions, I have not asked for CVE's for any
> of these vulnerabilities.  Feel free to request them yourselves.  I
> believe the only vulnerability I know enough details about to say
> is a security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!
> 
> Charlie
> 
> On Aug 5, 2012, at 3:25 PM, Kurt Seifried wrote:
> 
> On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
>>>> Hi.
>>>> 
>>>> On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell
>>>> <mitchell@....org> wrote:
>>>>> On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
>>>>>> On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
>>>>>>> What commit code do you want?
>>>>>> Please post the diff between the vulnerable code and the
>>>>>> fix so we are sure that is a security issue.
>>>>>> 
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> You can read all about the details of the vulnerability in
>>>>> the Black Hat 2012 presentation by Charlie Miller (c)
>>>>> 
>>>>> 
> -- details of the Calligra (and KOffice) exploit start at page 39.
>>>>> 
>>>>> Unfortunately, he did not notify us ahead of time of his
>>>>> intent to disclose, so it's already public.
> 
> I suspect he may not have known about it (this is the first time I
> can remember hearing of Calligra). Trying to keep track of all
> possible project forks is pretty much impossible in the modern Open
> Source world.
> 
> Charlie 1): have you requested CVE #'s for this issue for Koffice?
> 
> Charlie 2): it appears there are quite a few other security issues
> in the presentation, are they in open source components, if yes can
> you please send a CVE request(s) for the issue to oss-security@ so
> I can assign CVE's for them? Thanks.
> 
> Once Charlie replies (either way) I'll assign CVE's.
> 
>>>>> 
>>>>> Thanks, Jeff
>>>> 
>>>> 
>>>> As reported by Thorsten Zachmann to the kde-packagers ml,
>>>> here are the commit ids:
>>>> 
>>>> 
>>>> The commit IDs for master is 
>>>> 8652ab672eaaa145dfb3782f5011de58aa4cc046 c
>>>> 
>>>> The commit ID for calligra/2.5 is 
>>>> f04d585ca1d3ee27f125d0129a23ca7b7850902d 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev\_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1
>>>>
>>>>
>>>> 
The commit ID for calligra/2.4 is
>>>> 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev\_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b
>>>>
>>>>
>>>> 
Regards,
>>>> 
>>>> Jorge Manuel B. S. Vicetto
>>>> 

For this DOC rendering issue please use CVE-2012-3455 for KOffice and
please use 2012-3456 for Calligra.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBXaAAoJEBYNRVNeJnmTV/wQAI2BRqWGJwDMKoh2jUduowkU
xp+5Rf3dPJhI0o9FVaTkk7kWkmLnheecervdNwmthoL6l0D/yvl26gxcBaCr5CBq
JwQNsIeA4sNBJ4gDSCB7CQ1EpRJnCAar/M6wPAg9lUfwNqH+NKD4TJxvpELoOYiu
17Hgj36KnGn/hEmaq7ugIBpf0nY+PDjGwMI+SeCiLBMJU92y49MA6kjbZ5wZZcnA
91pedfhW1Ia1P/4HhTV/WfcepfyqYAld+QMPiq66JHPLxbXY4sZu3F8Ff9RfwBK7
an+auUf3ITng2CscSjjlRtabQdPismt1JS9eI/X6A+kjB3oE6tFOW5rM0DWitH+B
E7MvwJW9rV3VTleQlQgzQEJJrJWRdDpJrwmCAgYDD5OEdjmoXSJQD9/2oWJmcED0
pQC6jt3hOZAXsu2XO6Ib0QBKCSfgJ7gFT3u5YJbydAWLxN8B+P6H4fUupbVhcDCS
eN/WZRSdKzXICglriLM+CdG8r0tmQbC+76KwKtvtEYrQRJv/S8Hpc3RaRxWVcEpW
6JW0Hacol4xoZDPyl25VQlNqcaekXKUdFHYZJic0cv5OEeRnmYA6jcZEgDmvZWFo
HReRIsstQjWGsjli90U7EQQHt7ZwyaccXpOnIfPXw1I/31PBJViMBuL4Zuxuue4H
RQvuo6IFqkXGFCBNneK5
=S3Bf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2012-3455: security - Re: CVE request for Calligra

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.

**3com Inc. (Inactive) Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**ARRIS Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Statement Date:   January 20, 2011**

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The following products have been reported to be affected: ARRIS C3™ Cable Modem Termination System Firmware Release <=4.4.4.13

**Actelis Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Alcatel-Lucent Enterprise Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Allied Telesis Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Alvarion (Inactive) Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Aperto Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Apple Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Avaya Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Broadcom Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ceragon Networks Inc Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Cisco Affected**

**D-Link Systems Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Dell Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Dell EMC Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Digicom Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**DrayTek Corporation Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Enablence Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Enterasys Networks Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ericsson Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Fluke Networks Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Foundry Brocade Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Gilat Network Systems Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Guangzhou Gaoke Communications Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Hewlett Packard Enterprise Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Huawei Affected**

Updated: 2020-08-31

**Statement Date:   June 18, 2010**

**Vendor Statement**

We have not received a statement from the vendor.

**IWATSU Voice Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Keda Communications Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Knovative Inc Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Lenovo Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Lutron Electronics Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Maipu Communication Technology Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Mitel Networks Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Motorola Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Netgear Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Nokia Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Nortel Networks Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Polycom Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Statement Date:   December 07, 2010**

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The release notes for SoundPoint IP/SoundStation IP SIP software states that version 3.1.2 has closed the debug port. "47450: Port 17185 is open, presenting a security risk" http://downloads.polycom.com/voice/voip/relnotes/spip\_ssip\_v3\_1\_6\_Legacy\_release\_notes.pdf

**Proxim Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Rad Vision Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ricoh Company Ltd. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**SEIKO EPSON Corp. / Epson America Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**SFR Affected**

Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

newsoft reports that the SFR (formerly Neuf Cegetel and Neuf Telecom) Trio3C has the debug service enabled.

**SMC Networks Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Schneider Electric Affected**

Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The Modicon M340 with firmware version 2.5 was reported to run VxWorks 6.4 and have the debug port enabled.

**ShoreTel Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Siemens Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

Security Advisory Report - OBSO-1010-01 Enabled VxWorks debug service Creation Date: 2010-10-15 Last Update: 2010-10-15 Summary A security researcher has identified a large number of products based on the VxWorks platform provided by Wind River Systems with a debug service enabled by default at port 17185/udp. Vulnerability Details The debug service provides full access to the memory of an affected device and allows for memory to be written as well as functions to be called. Of the various products based on VxWorks, the following are not affected by this vulnerability: HiPath Wireless Convergence, RG 8700, optiPoint 410/420 SIP and HFA (V5). Affected Products HiPath 3000 (HG 1500 Gateway) HiPath 4000 (HG 35xx Gateway) optiPoint 410/420 HFA, versions before V5 optiPoint 600 office Recommended Actions In general, it is recommended not to attach the mentioned systems directly at the internet. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp). The problem is solved in the following versions; an update to these or higher versions is highly recommended: HiPath 3000 V8: V8 R5.2.0 HiPath 4000 V4: V4 R4.1.12 HiPath 4000 V5: V5 R1.2.4 Please note: HiPath 3000 V7: You need to upgrade the HG 1500 gateway only. Please use V8 R5.2.0 for this. You may keep the system itself in V7. HiPath 3000 V6 and earlier have reached end of SW support; please consider an upgrade to V7 or V8 HiPath 4000 V3 and earlier have reached end of SW support; please consider an upgrade to V4 or higher. Some older, unsupported versions of optiPoint 410/420 HFA IP phones are also vulnerable. Please ensure, that V5 is installed on all phones. optiPoint 600 office has reached end of life since a few years already; an update is unfortunately not available References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2965 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html http://www.kb.cert.org/vuls/id/362332 Revision History 2010-10-15 Initial release Contact and Disclaimer OpenScale Baseline Security Office obso@siemens-enterprise.com © Siemens Enterprise Communications GmbH & Co KG 2010 Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG The information provided in this document is subject to change without notice. Siemens Enterpise Communications GmbH & Co KG (SEN) assumes no responsibility for any errors that may appear in this document, and it does not affect your current support agreements with SEN. Any trademarks referenced in this document are the property of their respective owners. ---End Vendor Statement-------------------------------------------------------------------

**CERT Addendum**

The vendor provided the above advisory information for their affected products.

**TRENDnet Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Tut Systems Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Wind River Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

Wind River has analyzed VU#362332, and determined that all versions of VxWorks could be vulnerable if the WDB agent is left enabled in production systems and the system is network attached. VxWorks has a very strong track record of offering secure products and Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact. Customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post. Registered users can access Wind River's online support for more information by following this link: https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708 Or contact Wind River technical support for more information: http://windriver.com/support/

**CERT Addendum**

Within the VxWorks Kernel programmers guide it states: “For production systems, you will want to reconfigure VxWorks with only those components needed for deployed operation, and to build it as the appropriate type of system image. You will likely want to remove components required for host development support, such as the WDB target agent and debugging components (INCLUDE\_WDB and INCLUDE\_DEBUG), as well as to remove any other operating system components not required to support your application. Other considerations may include reducing the memory requirements of the system, speeding up boot time, and security issues.”

**Xerox Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**amx Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Canon Not Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**CVE-2010-2965**

Not Affected

**Vendor Statement**

We have not received a statement from the vendor.

**Brocade Communication Systems Unknown**

Notified:  2010-08-03 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Intel Unknown**

Notified:  2010-07-02 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

Tag

#nokia