Secunia

Multiple vulnerabilities have been reported in in Autonomy KeyView, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) A boundary error when parsing records in compound documents can be exploited to cause a heap-based buffer overflow by tricking a user into viewing e.g. a specially crafted Quattro Pro file.

2) A boundary error in the SpreadSheet Lotus 123 reader (wkssr.dll) when converting floating point values can be exploited to cause a stack-based buffer overflow.

3) Two boundary errors in the SpreadSheet Lotus 123 reader (wkssr.dll) when parsing certain records can be exploited to cause stack-based buffer overflows.

4) An error in the SpreadSheet Lotus 123 reader (wkssr.dll) when allocating an array of pointers during the parsing of a certain record can be exploited to corrupt heap memory when later parsing strings in a specially crafted file.

5) An integer underflow error in the SpreadSheet Lotus 123 reader (wkssr.dll) when parsing the size of a certain record can be exploited to cause a buffer overflow.

6) A signedness error in the RTF reader (rtfsr.dll) when parsing the argument to the "\ls" keyword within a list override table entry in RTF files can be exploited to cause a buffer overflow.

7) A boundary error in the WordPerfect 5 reader (wosr.dll) when parsing data blocks can be exploited to cause a heap-based buffer overflow.

8) A boundary error in a viewer responsible for parsing Word documents can be exploited to cause a stack-based buffer overflow via a specially crafted Word document containing an overly long font name.

9) A length calculation error in a viewer responsible for parsing Word documents can be exploited to cause a buffer overflow via a specially crafted Word document containing a malformed shape.

10) An error in wkssr.dll when parsing WK3 documents can be exploited to cause a buffer overflow via a specially crafted WK3 file.

11) A boundary error in wkssr.dll when parsing WK3 documents can be exploited to cause a buffer overflow via a specially crafted WK3 file.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 10.4 and 10.9. Other versions may also be affected.

Solution
Apply patches for versions 10.10, 10.9, 10.8, 10.5, 10.4, 10.3, 9.2, and 7.4.

Provided and/or discovered by
1-5) Carsten Eiram, Secunia Research.
6-7) Dyon Balding, Secunia Research.
8-11) An anonymous person via ZDI.

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2010-16/
http://secunia.com/secunia_research/2010-23/
http://secunia.com/secunia_research/2010-27/
http://secunia.com/secunia_research/2010-28/
http://secunia.com/secunia_research/2010-31/
http://secunia.com/secunia_research/2010-35/
http://secunia.com/secunia_research/2010-49/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-156/
http://www.zerodayinitiative.com/advisories/ZDI-10-157/
http://www.zerodayinitiative.com/advisories/ZDI-10-158/
http://www.zerodayinitiative.com/advisories/ZDI-10-159/

Deep Links
Links available in Customer Area