发布时间 :2006-06-15 06:02:00
修订时间 :2011-10-11 00:00:00

[原文]Integer overflow in wv2 before 0.2.3 might allow context-dependent attackers to execute arbitrary code via a crafted Microsoft Word document.

[CNNVD]wv2 整数溢出漏洞(CNNVD-200606-300)

        wv2 存在整数溢出,攻击者可能通过特制的Microsoft Word 文档上下文依赖来执行任意代码。

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  18437
(UNKNOWN)  XF  wvware-wv2-word-overflow(27184)

- 漏洞信息

wv2 整数溢出漏洞
中危 数字错误
2006-06-15 00:00:00 2006-09-22 00:00:00
        wv2 存在整数溢出,攻击者可能通过特制的Microsoft Word 文档上下文依赖来执行任意代码。

- 公告与补丁

        wvWare wv2 0.2.2
        Debian libwv2-1_0.2.2-1sarge1_alpha.deb ge1_alpha.deb
        Debian libwv2-1_0.2.2-1sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge ge1_alpha.deb
        Debian libwv2-1_0.2.2-1sarge1_amd64.deb
        Debian GNU/Linux 3.1 alias sarge ge1_amd64.deb
        Debian libwv2-1_0.2.2-1sarge1_arm.deb
        Debian GNU/Linux 3.1 alias sarge ge1_arm.deb
        Debian libwv2-1_0.2.2-1sarge1_hppa.deb
        Debian GNU/Linux 3.1 alias sarge ge1_hppa.deb
        Debian libwv2-1_0.2.2-1sarge1_i386.deb
        Debian GNU/Linux 3.1 alias sarge ge1_i386.deb
        Debian libwv2-1_0.2.2-1sarge1_ia64.deb
        Debian GNU/Linux 3.1 alias sarge ge1_ia64.deb
        Debian libwv2-1_0.2.2-1sarge1_m68k.deb
        Debian GNU/Linux 3.1 alias sarge ge1_m68k.deb
        Debian libwv2-1_0.2.2-1sarge1_mips.deb
        Debian GNU/Linux 3.1 alias sarge ge1_mips.deb
        Debian libwv2-1_0.2.2-1sarge1_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge ge1_mipsel.deb
        Debian libwv2-1_0.2.2-1sarge1_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge ge1_powerpc.deb
        Debian libwv2-1_0.2.2-1sarge1_s390.deb
        Debian GNU/Linux 3.1 alias sarge ge1_s390.deb
        Debian libwv2-1_0.2.2-1sarge1_sparc.deb
        Debian GNU/Linux 3.1 alias sarge ge1_sparc.deb
        Debian libwv2-dev_0.2.2-1sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge arge1_alpha.deb
        Debian libwv2-dev_0.2.2-1sarge1_amd64.deb
        Debian GNU/Linux 3.1 alias sarge arge1_amd64.deb
        Debian libwv2-dev_0.2.2-1sarge1_arm.deb
        Debian GNU/Linux 3.1 alias sarge arge1_arm.deb
        Debian libwv2-dev_0.2.2-1sarge1_hppa.deb
        Debian GNU/Linux 3.1 alias sarge arge1_hppa.deb
        Debian libwv2-dev_0.2.2-1sarge1_ia64.deb
        Debian GNU/Linux 3.1 alias sarge arge1_ia64.deb
        Debian libwv2-dev_0.2.2-1sarge1_m68k.deb
        Debian GNU/Linux 3.1 alias sarge arge1_m68k.deb
        Debian libwv2-dev_0.2.2-1sarge1_mips.deb
        Debian GNU/Linux 3.1 alias sarge arge1_mips.deb
        Debian libwv2-dev_0.2.2-1sarge1_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge arge1_mipsel.deb
        Debian libwv2-dev_0.2.2-1sarge1_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge arge1_powerpc.deb
        Debian libwv2-dev_0.2.2-1sarge1_s390.deb
        Debian GNU/Linux 3.1 alias sarge arge1_s390.deb
        Debian libwv2-dev_0.2.2-1sarge1_sparc.deb
        Debian GNU/Linux 3.1 alias sarge arge1_sparc.deb
        Mandriva lib64wv2_1-0.2.2-3.1.20060mdk.x86_64.rpm
        Mandriva Linux 2006.0/X86_64:
        Mandriva libwv2_1-0.2.2-3.1.20060mdk.i586.rpm
        Mandriva Linux 2006.0:

- 漏洞信息 (F47746)

Mandriva Linux Security Advisory 2006.109 (PacketStormID:F47746)
2006-06-27 00:00:00

Mandriva Linux Security Advisory MDKSA-2006-109 - A boundary checking error was discovered in the wv2 library, used for accessing Microsoft Word documents. This error can lead to an integer overflow induced by processing certain Word files.

Hash: SHA1

 Mandriva Linux Security Advisory                         MDKSA-2006:109
 Package : wv2
 Date    : June 20, 2006
 Affected: 2006.0, Corporate 3.0
 Problem Description:
 A boundary checking error was discovered in the wv2 library, used for
 accessing Microsoft Word documents.  This error can lead to an integer
 overflow induced by processing certain Word files.
 The updated packages have been patched to correct these issues.

 Updated Packages:
 Mandriva Linux 2006.0:
 de94c8e865cf5c1b1a018d9e99be1a2f  2006.0/RPMS/libwv2_1-0.2.2-3.1.20060mdk.i586.rpm
 25a43e0933dc84a8328db4c29bfab8f2  2006.0/RPMS/libwv2_1-devel-0.2.2-3.1.20060mdk.i586.rpm
 2a6d2bf2a9d22f208ec24aa1f447606b  2006.0/SRPMS/wv2-0.2.2-3.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 fa5f63d79ee02b7f35ca0c0c9e959817  x86_64/2006.0/RPMS/lib64wv2_1-0.2.2-3.1.20060mdk.x86_64.rpm
 3aeae3be8616d1ab888a26e8d0e5fbf8  x86_64/2006.0/RPMS/lib64wv2_1-devel-0.2.2-3.1.20060mdk.x86_64.rpm
 2a6d2bf2a9d22f208ec24aa1f447606b  x86_64/2006.0/SRPMS/wv2-0.2.2-3.1.20060mdk.src.rpm

 Corporate 3.0:
 145d276e1cb06b5ffe6bc9a79666e64b  corporate/3.0/RPMS/libwv2_1-0.2.1-1.1.C30mdk.i586.rpm
 148f83cdc9b06a767b47419193a21800  corporate/3.0/RPMS/libwv2_1-devel-0.2.1-1.1.C30mdk.i586.rpm
 1ab35d6fc18115a6a3c2cdf1a81fd7dc  corporate/3.0/SRPMS/wv2-0.2.1-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 15fcfb9ca05c8e319d6357c4a05d8899  x86_64/corporate/3.0/RPMS/lib64wv2_1-0.2.1-1.1.C30mdk.x86_64.rpm
 d717c6ba6190d0f1ce5c92432a7b97f5  x86_64/corporate/3.0/RPMS/lib64wv2_1-devel-0.2.1-1.1.C30mdk.x86_64.rpm
 1ab35d6fc18115a6a3c2cdf1a81fd7dc  x86_64/corporate/3.0/SRPMS/wv2-0.2.1-1.1.C30mdk.src.rpm

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver 0x22458A98

 You can view other update advisories for Mandriva Linux at:

 If you want to report vulnerabilities, please contact


 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.2.2 (GNU/Linux)



- 漏洞信息 (F47612)

Debian Linux Security Advisory 1100-1 (PacketStormID:F47612)
2006-06-25 00:00:00

Debian Security Advisory 1100-1 - A boundary checking error has been discovered in wv2, a library for accessing Microsoft Word documents, which can lead to an integer overflow induced by processing word files.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1100-1                                       Martin Schulze
June 15th, 2006               
- --------------------------------------------------------------------------

Package        : wv2
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2006-2197

A boundary checking error has been discovered in wv2, a library for
accessing Microsoft Word documents, which can lead to an integer
overflow induced by processing word files.

The old stable distribution (woody) does not contain wv2 packages.

For the stable distribution (sarge) this problem has been fixed in
version 0.2.2-1sarge1

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your libwv packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      647 1e70762ab53a672f05164a004f5c93a9
      Size/MD5 checksum:    12720 068c3fbeb3965747027fe1382dcb55a5
      Size/MD5 checksum:   855198 45fdc6df614f91e94d3b978dd8414e3b

  Alpha architecture:
      Size/MD5 checksum:   295880 44a8b7e985cf5d0076c6242dd12211d2
      Size/MD5 checksum:   183238 5d1fb1fac9d1d972e3541e5e46e0267d

  AMD64 architecture:
      Size/MD5 checksum:   243294 136d61f3757dc5e79dc51427812d5a49
      Size/MD5 checksum:   183218 67cd1e898372ceebfb0ef3b86a6cc779

  ARM architecture:
      Size/MD5 checksum:   230210 0b5de6817405b35407dd77d12fc405f4
      Size/MD5 checksum:   183242 684d3f82878ad64f9528e1924c024d1d

  Intel IA-32 architecture:
      Size/MD5 checksum:   235894 db949bdc9038c6b0302acf8e0e477b38
      Size/MD5 checksum:   182010 202a0c2946a91417bd542627e7a836f4

  Intel IA-64 architecture:
      Size/MD5 checksum:   322098 40ff1b5c6cd42743e20512a5683bfe86
      Size/MD5 checksum:   183230 8e4cd47604baaf864e5ce1dd7d2b8747

  HP Precision architecture:
      Size/MD5 checksum:   253064 99c119d4a607f4fb055642b3583aaccd
      Size/MD5 checksum:   183238 8246aabd232173a8cf2db2a87c1b6be1

  Motorola 680x0 architecture:
      Size/MD5 checksum:   219026 f843f05b4d6b28be1680ab1ea962d666
      Size/MD5 checksum:   183264 bbd4acf79208a50da1b2053c2e31ec0c

  Big endian MIPS architecture:
      Size/MD5 checksum:   215108 d1247a70a8927eae92203cb6af8ad049
      Size/MD5 checksum:   183238 0bc66cb90bceee86df3fafeda0b3a1bb

  Little endian MIPS architecture:
      Size/MD5 checksum:   211034 8d74d1043e4869f4d3def7918e62dfb8
      Size/MD5 checksum:   183234 d531933dd916dd5bf57cb58de979de74

  PowerPC architecture:
      Size/MD5 checksum:   221752 790897f6117b02e5410705647d7fa658
      Size/MD5 checksum:   183246 b8c42cb926f17f1c0ced7de85f6659f0

  IBM S/390 architecture:
      Size/MD5 checksum:   249622 fe89ae95081d62faafd1b3fc8edd286d
      Size/MD5 checksum:   183234 b2b0f8c169daf96b71f16ff0ae300380

  Sun Sparc architecture:
      Size/MD5 checksum:   229240 f0c767b5e8ec342bf043a79edf13a6ae
      Size/MD5 checksum:   183238 02fad53089315e41000c28bdda733e07

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.3 (GNU/Linux)



- 漏洞信息 (F47553)

Ubuntu Security Notice 300-1 (PacketStormID:F47553)
2006-06-21 00:00:00

Ubuntu Security Notice 300-1 - libwv2 did not sufficiently check the validity of its input. Certain invalid Word documents caused a buffer overflow. By tricking a user into opening a specially crafted Word file with an application that uses libwv2, this could be exploited to execute arbitrary code with the user's privileges.

Ubuntu Security Notice USN-300-1              June 14, 2006
wv2 vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  libwv2-1                       0.2.2-1ubuntu1.1
  libwv2-dev                     0.2.2-1ubuntu1.1

Ubuntu 5.10:
  libwv2-1c2                     0.2.2-1ubuntu2.1
  libwv2-dev                     0.2.2-1ubuntu2.1

Ubuntu 6.06 LTS:
  libwv2-1c2                     0.2.2-5ubuntu0.1
  libwv2-dev                     0.2.2-5ubuntu0.1

After a standard system upgrade you need to restart KWord to effect
the necessary changes.

Details follow:

libwv2 did not sufficiently check the validity of its input. Certain
invalid Word documents caused a buffer overflow. By tricking a user
into opening a specially crafted Word file with an application that
uses libwv2, this could be exploited to execute arbitrary code with
the user's privileges.

The only packaged application using this library is KWord.

Updated packages for Ubuntu 5.04:

  Source archives:
      Size/MD5:    16104 63df0ae571a2b6aeec69f9cb2373d1b9
      Size/MD5:      661 b65ca0f07e82728296575737442c23b5
      Size/MD5:   855198 45fdc6df614f91e94d3b978dd8414e3b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:   243364 6e29b4a9882dce4dffc6d946e0957ca6
      Size/MD5:   183310 5e2b9cbb4f2548b48f0c1c5d34d08c20

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:   232014 af559c86604bf323dadafbf44159125e
      Size/MD5:   183308 bdb2ca946ba0689ac262c0b907f5fc64

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:   221856 a2a7149c998191c373bf9cf3ec312f30
      Size/MD5:   183312 afa93e9c16613bcd9afee555e5a922cd

Updated packages for Ubuntu 5.10:

  Source archives:
      Size/MD5:    16170 7a07243952babcbc99fd59d82290d348
      Size/MD5:      663 293e081bc9ae957ae7dcdcd559f09d05
      Size/MD5:   855198 45fdc6df614f91e94d3b978dd8414e3b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:   272274 a9b18398d4266768b0232e0f0441a55d
      Size/MD5:   183332 e897aac4010b63ae4fd8c5dc5de9a8aa

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:   240956 9fec9a49d9cdbe447a37cea80cce0ef5
      Size/MD5:   183328 4b48ad49dff6c4c236c0323387a2232c

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:   244644 73b01188d26474efa183eef9cbdaa4d2
      Size/MD5:   183338 e3adfe6108ae54a24dca635965ec6828

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   711482 de2a0a853439ae46d3946d5b51e3bb41
      Size/MD5:      816 bcfd690cd308fa1cbd4bb87b6fc0714a
      Size/MD5:   855198 45fdc6df614f91e94d3b978dd8414e3b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:   246200 b4fde95a8c49d0ee5a11db3bc79a111d
      Size/MD5:   183932 e0033bbc17eb6bd347b9e7d2dc45ebfe

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:   224862 5e1520c6daf81fde5bd099cda8f4cc8f
      Size/MD5:   183926 fc25e34d9307a86fb593e94ad9889264

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:   224956 4246d28c91828b4f10e5b14b13f15056
      Size/MD5:   183936 b1fbce3fd76a44478d94c6f8a344ae4d


- 漏洞信息

wvWare wv2 Library Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-12 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

wv2 Remote Buffer Overflow Vulnerability
Boundary Condition Error 18437
Yes No
2006-06-14 12:00:00 2006-11-23 10:05:00
The vendor disclosed this issue.

- 受影响的程序版本

wvWare wv2 0.2.2
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SuSE Linux Open-Xchange 4.1
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
wvWare wv2 0.2.3

- 不受影响的程序版本

wvWare wv2 0.2.3

- 漏洞讨论

The wv2 library is prone to a remote buffer-overflow vulnerability. This issue is due to the library's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of applications that use the affected library to parse malicious Microsoft Word files.

Version 0.2.2 of the wv2 library is vulnerable to this issue; other versions may also be affected.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 解决方案

The vendor has released a fixed version of the affected library.

Please see the referenced advisories for more information on obtaining and applying fixes.

wvWare wv2 0.2.2

- 相关参考