Ubuntu
koffice package

reproducible kpresenter crash

Bug #71263 reported by Laurent Bonnaud
256
Affects Status Importance Assigned to Milestone
koffice
Invalid
High
koffice (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: ark

Here is how to reproduce this bug:

1. Download this file:
  http://phototour.cs.washington.edu/PhotoTourismPresentation.zip
2. Open it in ark
3. Click on the PPT file in the archive

This could be a security vulnerability that might be exploited with a malicious ZIP archive.

Here is a backtrace:

Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1232533840 (LWP 10857)]
[KCrash handler]
#6 0xb7cdf37c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#7 0xb5322c3a in KLaola::readBigBlockDepot ()
   from /usr/lib/kde3/libolefilter.so
#8 0xb53252a2 in KLaola::KLaola () from /usr/lib/kde3/libolefilter.so
#9 0xb531fa10 in OLEFilter::convert () from /usr/lib/kde3/libolefilter.so
#10 0xb5c390aa in KoFilterChain::ChainLink::invokeFilter ()
   from /usr/lib/libkofficecore.so.3
#11 0xb5c391ff in KoFilterChain::invokeChain ()
   from /usr/lib/libkofficecore.so.3
#12 0xb5c4034e in KoFilterManager::import () from /usr/lib/libkofficecore.so.3
#13 0xb5c41193 in KoDocument::openFile () from /usr/lib/libkofficecore.so.3
#14 0xb7ee28de in KParts::ReadOnlyPart::openURL (this=0x828bfd8,
    url=@0xbfa159e0) at /build/buildd/kdelibs-3.5.5/./kparts/part.cpp:344
#15 0xb5c1bd16 in KoDocument::openURL () from /usr/lib/libkofficecore.so.3
#16 0xb6673ea4 in ArkViewer::view (this=0x8221890, filename=@0x816eda8)
    at /build/buildd/kdeutils-3.5.5/./ark/arkviewer.cpp:93
#17 0xb66795ff in ArkWidget::viewSlotExtractDone (this=0x816ecd8,
    success=true) at /build/buildd/kdeutils-3.5.5/./ark/arkwidget.cpp:1688
#18 0xb668f7d7 in ArkWidget::qt_invoke (this=0x816ecd8, _id=72, _o=0xbfa15c88)
    at ./arkwidget.moc:531
#19 0xb721e957 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#20 0xb721ecb1 in QObject::activate_signal_bool () from /usr/lib/libqt-mt.so.3
#21 0xb665fd9e in Arch::sigExtract (this=0x81fb958, t0=true) at ./arch.moc:199
#22 0xb6669d34 in Arch::slotExtractExited (this=0x81fb958, _kp=0x8220e88)
    at /build/buildd/kdeutils-3.5.5/./ark/arch.cpp:198
#23 0xb666a422 in Arch::qt_invoke (this=0x81fb958, _id=3, _o=0xbfa15df4)
    at ./arch.moc:225
#24 0xb666a75b in ZipArch::qt_invoke (this=0x81fb958, _id=3, _o=0xbfa15df4)
    at ./zip.moc:77
#25 0xb721e957 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#26 0xb77db6fe in KProcess::processExited (this=0x8220e88, t0=0x8220e88)
    at ./kprocess.moc:137
#27 0xb77db92f in KProcess::processHasExited (this=0x8220e88, state=0)
    at /build/buildd/kdelibs-3.5.5/./kdecore/kprocess.cpp:831
#28 0xb77d648f in KProcessController::slotDoHousekeeping (this=0x815c478)
    at /build/buildd/kdelibs-3.5.5/./kdecore/kprocctrl.cpp:202
#29 0xb77d65b2 in KProcessController::qt_invoke (this=0x815c478, _id=2,
    _o=0xbfa15f78) at ./kprocctrl.moc:82
#30 0xb721e957 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#31 0xb721f26e in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#32 0xb75abcdb in QSocketNotifier::activated () from /usr/lib/libqt-mt.so.3
#33 0xb7241516 in QSocketNotifier::event () from /usr/lib/libqt-mt.so.3
#34 0xb71b5b88 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#35 0xb71b79b7 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#36 0xb78abdb2 in KApplication::notify (this=0x80d1b78, receiver=0x815c4c0,
    event=0xbfa162a8)
    at /build/buildd/kdelibs-3.5.5/./kdecore/kapplication.cpp:550
#37 0xb7148389 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#38 0xb71a7f81 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/libqt-mt.so.3
#39 0xb715cea7 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#40 0xb71d025e in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#41 0xb71d006e in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#42 0xb71b7731 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#43 0xb67de49f in kdemain (argc=8, argv=0x80bba40)
    at /build/buildd/kdeutils-3.5.5/./ark/main.cpp:125
#44 0xb7f06524 in kdeinitmain (argc=8, argv=0x80bba40) at ark_dummy.cpp:3
#45 0x0804e4df in launch (argc=8, _name=0x80c6884 "ark", args=0x80c68d7 "",
    cwd=0x0, envc=1, envs=0x80c68e8 "", reset_env=false, tty=0x0,
    avoid_loops=false,
    startup_id_str=0x80c68ed "vougeot;1163186047;113499;10771_TIME3544877092")
    at /build/buildd/kdelibs-3.5.5/./kinit/kinit.cpp:673
#46 0x0804ed6a in handle_launcher_request (sock=10)
    at /build/buildd/kdelibs-3.5.5/./kinit/kinit.cpp:1240
#47 0x0804f118 in handle_requests (waitForPid=0)
    at /build/buildd/kdelibs-3.5.5/./kinit/kinit.cpp:1443
#48 0x080503ac in main (argc=5, argv=0xbfa16c14, envp=0xbfa16c2c)
    at /build/buildd/kdelibs-3.5.5/./kinit/kinit.cpp:1909
#49 0xb7c868cc in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#50 0x0804b971 in _start ()

CVE References

Revision history for this message
In , Niemimika-di (niemimika-di) wrote :
Download full text (4.6 KiB)

Version: 1.2.1 (using KDE KDE 3.1.3)
Installed from: RedHat RPMs
Compiler: gcc 3.2.2
OS: Linux

When opening a 36MB .ppt -document (probably created
in University of Helsinki by a teacher with MS Powerpoint),
kpresenter crashes and produces this note:

The application KPresenter (kpresenter) crashed and caused the signal 11
(SIGSEGV).

Due to large size of the ppt-file I can't upload it into www
but a can send it somehow (put it into my local www-site)
for a short period of time if asked <email address hidden>

An other, 182k .ppt -document, opens just fine.

The large document opens very slowly in OpenOffice (Linux) and finally
crashes it too, when OO has allocated approx. 250MB of RAM.
Using MS PowerPoint document opens in just seconds (!)
and using Windows-version of OpenOffice opens very slowly
but finally succeeds.

-- Backtrace --

(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 16384 (LWP 1675)]
(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
0x41070567 in waitpid () from /lib/i686/libpthread.so.0
#0 0x41070567 in waitpid () from /lib/i686/libpthread.so.0
#1 0x407886ed in KCrash::defaultCrashHandler(int) ()
   from /usr/lib/libkdecore.so.4
#2 0x4106f...

Read more...

Revision history for this message
In , Boudewijn (boud) wrote :

Apologies for the long delay... I'm trying to collect all documents that make KOffice apps hang or crash to finally start some systematic testing. Could you please mail this document (if you've still got access to it after all these years) to <email address hidden>? My mailbox should be able to handle it.

Revision history for this message
Kees Cook (kees) wrote :

Hello! Thanks for the report.

I cannot reproduce this with ark in edgy. Which release of Ubuntu are you using?

Thanks!

Changed in kdeutils:
status: Unconfirmed → Needs Info
Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote : Re: [Bug 71263] Re: reproducible ark crash

On Fri, 2006-11-10 at 20:21 +0000, Kees Cook wrote:

> I cannot reproduce this with ark in edgy. Which release of Ubuntu are
> you using?

Oops. Here it is:

Package: ark
Version: 4:3.5.5-0ubuntu2

-- System Information:
Debian Release: testing/unstable
  APT prefers edgy-updates
  APT policy: (500, 'edgy-updates'), (500, 'edgy-security'), (500, 'edgy-backports'), (500, 'edgy'), (500, 'dapper')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17-10-generic
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages ark depends on:
ii kdelibs4c2a 4:3.5.5-0ubuntu3 core libraries and binaries for al
ii libacl1 2.2.39-1ubuntu2 Access control list shared library
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libattr1 2.4.32-1ubuntu1 Extended attribute shared library
ii libaudio2 1.8-2 The Network Audio System (NAS). (s
ii libc6 2.4-1ubuntu12 GNU C Library: Shared libraries
ii libfontconfig1 2.3.2-7ubuntu2 generic font configuration library
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgcc1 1:4.1.1-13ubuntu5 GCC support library
ii libice6 2:1.0.1-1ubuntu1 X11 Inter-Client Exchange library
ii libidn11 0.6.3-1 GNU libidn library, implementation
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.8rel-5.1 PNG library - runtime
ii libqt3-mt 3:3.3.6-3ubuntu3 Qt GUI Library (Threaded runtime v
ii libsm6 2:1.0.1-1ubuntu1 X11 Session Management library
ii libstdc++6 4.1.1-13ubuntu5 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-0ubuntu4 X11 client-side library
ii libxcursor1 1.1.7-0ubuntu1 X cursor management library
ii libxext6 2:1.0.1-1ubuntu1 X11 miscellaneous extension librar
ii libxft2 2.1.10-1ubuntu1 FreeType-based font drawing librar
ii libxi6 2:1.0.1-0ubuntu1 X11 Input extension library
ii libxinerama1 2:1.0.1-4build1 X11 Xinerama extension library
ii libxrandr2 2:1.1.1-0ubuntu1 X11 RandR extension library
ii libxrender1 1:0.9.1-0ubuntu1 X Rendering Extension client libra
ii libxt6 1:1.0.2-1ubuntu1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3-13ubuntu2 compression library - runtime

Versions of packages ark recommends:
ii bzip2 1.0.3-3 high-quality block-sorting file co
pn ncompress <none> (no description available)
ii p7zip 4.42.dfsg.1-2 7-Zip is a file archiver with high
ii unzip 5.52-8ubuntu1 De-archiver for .zip files
ii zip 2.32-1 Archiver for .zip files
pn zoo <none> (no description available)

-- no debconf information

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Revision history for this message
Kees Cook (kees) wrote : Re: reproducible ark crash

If you extract the PPT instead of "opening" it, does ark crash? I'm thinking this may actually be a Koffice bug, rather than an Ark bug.

Once extracted, can you open the PPT in Koffice? Is a .crash file created in /var/crash?

Revision history for this message
Kees Cook (kees) wrote :

I've tracked this down to koffice for sure. I'm coordinating with upstream to get this fixed. Thanks again for the report!

Changed in koffice:
assignee: nobody → keescook
status: Needs Info → In Progress
Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote : Re: [Bug 71263] Re: reproducible kpresenter crash

On Wed, 2006-11-22 at 00:45 +0000, Kees Cook wrote:

> I've tracked this down to koffice for sure. I'm coordinating with
> upstream to get this fixed. Thanks again for the report!

Indeed, this is a kpresenter crash:

$ kpresenter PhotoTourism.ppt
KCrash: Application 'kpresenter' crashing...

However, IMHO ark should not try to display this file inline with
kparts, but launch an external kpresenter process. This way, ark would
not crash.

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote : Re: [Bug 71263] Re: reproducible ark crash

On Tue, 2006-11-21 at 19:59 +0000, Kees Cook wrote:

> Is a .crash file created in /var/crash?

Unfortunately no. All crashes in KDE cause in Krash window to appear,
but no core file is saved in /var/crash/.

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Bug Watch Updater (bug-watch-updater)
Changed in koffice:
status: Unknown → Unconfirmed
Revision history for this message
Kees Cook (kees) wrote :

This has been fixed in breezy (koffice 1.4.1), and will be fixed upstream shortly (koffice 1.6.1).

Changed in koffice:
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Turned out the code was related to some security problems. The update has been released as USN-388-1.

Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote : Re: [Bug 71263] Re: reproducible kpresenter crash

On Tue, 2006-12-05 at 00:54 +0000, Kees Cook wrote:
> This has been fixed in breezy (koffice 1.4.1), and will be fixed
> upstream shortly (koffice 1.6.1).

Thank you very much for the fix !

I upgraded kpresenter on my system and now I get:

$ kpresenter PhotoTourism.ppt
ole-lib: ERROR: KLaola::parseHeader(): bbd 109 offset (4028526080) too large
ole-lib: ERROR: OLEFilter::filter(): Unable to read input file correctly!

kpresenter is still unable to display this file, but at least it does
not crash.

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Revision history for this message
In , beer (jonas-vejlin) wrote :

should this be "waitingforinfo"?

Revision history for this message
In , Dario Andres (andresbajotierra) wrote :

Was the testcase file provided ?
Marking as NEEDSINFO

Bug Watch Updater (bug-watch-updater)
Changed in koffice:
status: New → Unknown
Revision history for this message
In , Niemimika-di (niemimika-di) wrote :

I still have the example file. I may have missed some of the status changes because my e-mail has changed a while ago.

The file opens quite nicely with OpenOffice.org 2.4.1.

KPresenter 1.6.3 (using KDE 3.5.10) is my current version and it gives a dialog "Could not open /home/mniemi/aivojenkehitys.ppt, Reason: Internal error".
The command line shows the following lines:

mniemi@localhost:~$ kpresenter aivojenkehitys.ppt
ole-lib: ERROR: KLaola::parseHeader(): bbd 109 offset (4028526080) too large
ole-lib: ERROR: OLEFilter::filter(): Unable to read input file correctly!
mniemi@localhost:~$

Revision history for this message
In , Sebastian Sauer (mail-dipe) wrote :

Can the crash still be reproduced with koffice 2.2 or newer?

@Mika Niemi
Could you please mail the document to me (mail at dipe.org)? Thanks in advance :)

Bug Watch Updater (bug-watch-updater)
Changed in koffice:
importance: Unknown → High
status: Unknown → Incomplete
Revision history for this message
In , Myriam Schweingruber (myriam) wrote :

Closing for lack of feedback. I can't reproduce this crash with current calligrastage git-master.

Bug Watch Updater (bug-watch-updater)
Changed in koffice:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.