[arch-security] [ASA-201412-20] unrtf: arbitrary code execution
anthraxx at archlinux.org
Tue Dec 16 20:51:58 UTC 2014
Arch Linux Security Advisory ASA-201412-20
Date : 2014-12-16
CVE-ID : CVE-2014-9274 CVE-2014-9275
Package : unrtf
Type : arbitrary code execution
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package unrtf before version 0.21.7-1 is vulnerable to arbitrary
Upgrade to 0.21.7-1.
# pacman -Syu "unrtf>=0.21.7-1"
The problems have been fixed upstream in version 0.21.7.
- CVE-2014-9274 (arbitrary code execution)
A flaw allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code as demonstrated by a file containing the
- CVE-2014-9275 (arbitrary code execution)
A flaw allows remote attackers to cause a denial of service
(out-of-bounds memory access and crash) and possibly execute arbitrary
code via a crafted RTF file.
An attacker able to craft a RTF file could use those issues to cause a
crash or execute arbitrary code while accessing a pointer that may be
under the attacker's control.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security