Apache OpenOffice (AOO) Bugzilla – Issue 72615
WW8: oowriter crashes on document import of corrupted file
Last modified: 2013-08-07 14:38:26 UTC
oowriter crashes when trying to import this document: http://www.milw0rm.com/sploits/12122006-djtest.doc The document is a proof of concept for an exploitable overflow in Microsoft Word. It seems to trigger a bug in OO.o as well (possibly also open for exploit?) Here's the trace: (I) x.org loaded video driver of... (II) Loading /usr/lib/xorg/modules/drivers/v4l_drv.so (II) Loading /usr/lib/xorg/modules/drivers/radeon_drv.so (II) Loading /usr/lib/xorg/modules/drivers/ati_drv.so (II) Reloading /usr/lib/xorg/modules/drivers/radeon_drv.so (III) Desktop is: GNOME (IV) libgcj version is: libgcj-4.1.1-44-i386 (V) kernel is: Linux 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006 i686 i686 i386 (VI) OpenOffice.org core rpm version is: openoffice.org-core-2.1.0-6.1-i386 (VII) depth of root window: 24 planes (VIII) accessibility is: false (VIV) fedora release is: Fedora Core release 6 (Rawhide) ...start free space details ... ...end free space details ... ...start sestatus details ... SELinux status: disabled ...end sestatus details ... ...start stackreport details ... 0x620bef8: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x22ef8 0x620cb8b: /usr/lib/openoffice.org2.1/program/libuno_sal.so.3 + 0x23b8b 0xd4e420: + 0x420 (__kernel_sigreturn + 0x0) 0x39e962d: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75062d 0x39f10d0: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7580d0 0x39f11c3: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7581c3 0x39f63e1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x75d3e1 0x39a3b60: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ab60 0x39a50a7: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70c0a7 0x39a5a86: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70ca86 0x39a5ba1: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x70cba1 0x38621bf: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x5c91bf 0x3a5df35: /usr/lib/openoffice.org2.1/program/libsw680li.so + 0x7c4f35 0x7d6e3bc: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x1a23bc (SfxObjectShell::DoLoad(SfxMedium*) + 0x79c) 0x7dd6283: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x20a283 (SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) + 0x323) 0x7e0c84f: /usr/lib/openoffice.org2.1/program/libsfx680li.so + 0x24084f 0x2240ca6: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x19fca6 0x22428ba: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a18ba 0x22430a5: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x1a20a5 0x20e86f3: /usr/lib/openoffice.org2.1/program/libfwk680li.so + 0x476f3 0x31e8e2f: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x3ee2f (desktop::DispatchWatcher::executeDispatchRequests(_STL::vector<desktop::DispatchWatcher::DispatchRequest, _STL::allocator<desktop::DispatchWatcher::DispatchRequest> > const&) + 0x194f) 0x31db671: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x31671 (desktop::OfficeIPCThread::ExecuteCmdLineRequests(desktop::ProcessDocumentsRequest&) + 0x151) 0x31d581a: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2b81a (desktop::Desktop::OpenClients() + 0x14ea) 0x31d6f30: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cf30 (desktop::Desktop::OpenClients_Impl(void*) + 0x50) 0x31d6fe4: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x2cfe4 (desktop::Desktop::LinkStubOpenClients_Impl(void*, void*) + 0x24) 0x6c013e6: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x28a3e6 0x1d515c: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x4f15c (SalDisplay::DispatchInternalEvent() + 0xbc) 0x144f71: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xff71 0x144fb1: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0xffb1 0x859491: /lib/libglib-2.0.so.0 + 0x29491 0x85b1f2: /lib/libglib-2.0.so.0 + 0x2b1f2 (g_main_context_dispatch + 0x182) 0x85e1cf: /lib/libglib-2.0.so.0 + 0x2e1cf 0x85e735: /lib/libglib-2.0.so.0 + 0x2e735 (g_main_context_iteration + 0x65) 0x146e81: /usr/lib/openoffice.org2.1/program/libvclplug_gtk680li.so + 0x11e81 0x1dfdb7: /usr/lib/openoffice.org2.1/program/libvclplug_gen680li.so + 0x59db7 (X11SalInstance::Yield(bool, bool) + 0x37) 0x6a0e988: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97988 (Application::Yield(bool) + 0x68) 0x6a0ea5c: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x97a5c (Application::Execute() + 0x3c) 0x31d0ab9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x26ab9 (desktop::Desktop::Main() + 0x1779) 0x6a144dc: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d4dc 0x6a145e5: /usr/lib/openoffice.org2.1/program/libvcl680li.so + 0x9d5e5 (SVMain() + 0x35) 0x31c18f9: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x178f9 (sal_main + 0x59) 0x31c1984: /usr/lib/openoffice.org2.1/program/libsoffice.so + 0x17984 (main + 0x44) 0x575e5c: /lib/libc.so.6 + 0x15e5c (__libc_start_main + 0xdc) 0x80484c1: /usr/lib/openoffice.org2.1/program/swriter.bin + 0x4c1 ...end stackreport details ... ...start sample ldd details ... ...end sample ldd details ... I have not run gdb on this crash but someone else did: (from a Slashdot posting, he used OO.o 2.0.4) "...The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap): eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487" I used the current Fedora core development distribution of OO.o for the backtrace, based on openoffice.org-2.1.0-6.1.src.rpm
Created attachment 41442 [details] The file with the MS Word overflow exploit which crashes oowriter
The attached document looks damaged - even Word is not able to recognize it as its own format and refuses to open. But at least OO should not crash when trying to open it...
duplicate of issue 72615? it's the same document
Seems to be duplicate of http://www.openoffice.org/issues/show_bug.cgi?id=72614 *** This issue has been marked as a duplicate of 72614 ***
The Issue you raised has been marked as 'Resolved' and not updated within the last 1 year+. I am therefore setting this issue to 'Verified' as the first step towards Closing it. If you feel this is incorrect, please re-open the issue and add any comments. Many thanks, Andrew Cleaning-up and Closing old Issues ~ The Grand Bug Squash, pre v3 ~ http://marketing.openoffice.org/3.0/announcementbeta.html
As per previous posting: Verified -> Closed. A Closed Issue is a Happy Issue (TM). Regards, Andrew