forked from vbwagner/catdoc
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathNEWS
More file actions
254 lines (221 loc) · 11 KB
/
NEWS
File metadata and controls
254 lines (221 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
0.97 March 8 2026
Remove 16-bit DOS support. Use version 0.96 if you're still building and
running the catdoc programs in DOS.
Incorporated Debian patches for the three 2024 CVEs identified and
addressed by the Cisco Talos team.
- TALOS-2024-2128 "Catdoc xls2csv utility Shared String Table Record
Parser memory corruption vulnerability"
- CVE-2024-48877 xls2csv memory corruption vulnerability
- CVE-2024-52035 OLE Document Parser vulnerability
- CVE-2024-54028 OLE Document DIFAT Parser vulnerability
Used GNU autoconf to generate Makefiles and present and manage test
results. Add `autoconf -fiv` to INSTALL steps.
Users can set a CHARSETPATH environment variable to point to one or
more non-standard charsets directory locations (as an alternative
to charset_path in .catdocrc). This allows testing without doing
`make install`.
Fixed handling of destination charsets with chars > u7FFF (e.g. when
specifying mac-roman as destination charset), and of missing charsets;
commit 8866ca937 (cherry-picked from vbwagner's upstream GitHub
repository). Also added test for the bug.
The other vbwagner commit in 2025, "Fix ole name bug", was already
incorporated in this fork's version 0.96.
Developed test framework for memory access errors caught by
address sanitizer.
Fixed CVE-2023-31979 global buffer overflow vulnerability in the
process_file function in src/reader.c.
This also addresses CVE-2018-20451 and CVE-2018-20453 that were found
in libdoc (based on catdoc) and were also present in catdoc..
Fixed NULL derefence if charset directory is empty (issue #8), which
may be the same bug as CVE-2023-41633.
Fixed memory leak in charset handling.
Fixed several memory access bugs caught by address sanitizer that
were reported by GitHub user @yangzao against the upstream
vbwagner/catdoc as issues #6, #7, #8, #9, #10, #11, #12, and #13.
Confirmed that these fixes also address all the buggy files found by
Dean Pierce in 2015 using American Fuzzy Lop software fuzzer, reported
to the oss-sec mailing list and uploaded to
https://catdocbugs.neocities.org/ .
Added build automation to trigger Fedora Copr builds.
0.96 July 7 2025
This incorporates several patches to catdoc that have
accumulated, many from Debian.
- Fixed wrong charset conversion in xls2csv (Debian bug #878334)
- Fixed memory read and bad output from int'l xls file (Debian
bug #878330)
- Fixed some LibreOffice documents saved in Word 97-2003 format,
patch from Debian (Debian bug #874048, RedHat bug #1472876)
- Improved XLS parsing, patch from Debian (Debian bug XXX)
- Fixed types for some on-disk structures, patch from Debian
(Debian bug XXX)
- CVE-2017-11110: fixed heap buffer overflow in ole_init, patch
from Debian (Debian bug XXX)
- Makefile fixes, patch from Debian
- amd_64 fixes, patch from Debian (Debian bug XXX)
- Add DESTDIR prefix to Makefile.in (Fedora patch)
- man page fixes
Update COPYING with latest gpl-2.0.txt
Added test files, a simple test framework, and GitHub workflow
automation to run `make check` on updates.
Fixed xsl2csv compiling and running in DOS, updated INSTALL.dos
instructions.
Converted README to markdown, added information about vulnerabilities
and future plans.
0.95 May 25 2016
Replaced charset tables with new ones, published by Unicode Consortium with
more permissive license.
Fixed some incompatibilities with CLang
Fixed lot of segfaults on incorrect or corrupted data
Use stdint int types throughout the code, add configure check for stdint.h
0.94.2 Feb 25 2005
Now ole Root Entry is searched by entry type rather than by
name. It is better fix for same problem which was fixed in
0.94.1. Fixed building of catppt postscript docs. It might be
not qualify for release, but since I've lost archives and have
no hope of recreating distribution with same SHA1 sum from
working copy of repository which was left, I prefer to make new
release. 0.94.1 Feb 09 2006 Fixed some problems with OLE
parsing. Fixed some issues with codepage search introduced in
the 0.94. Fixed negative record length in ppt files.
0.94 May 02 2005
Added catppt utility to process powerpoint files. Now
xls2csv proprerly recognizes Mac and other codepages which
Microsoft refers by numbers and other world by names. Support
ansicpg command in RTF. Also lot of small bug fixes 0.93.4 Sep
0.93.4 Sep 30 2004. Wedding release.
After about a year of existence of version 0.93.3 numerous
bug reports was send to me and incorporated into CVS. So it is
time to release new one. Fixed lot of bugs concerning rtf
parser and xls3csv. Added ability to define customizable page
separator for multipage spreadsheets and command line switch to
specify desired maximal precission of floating point numbers
(default now is output as many digits as it is). Also fixed bug
with reading pre-OLE word/write files and text files (Debian
bug #255625).
0.93.3 Nov 15 2003
It was planned as feature release. It has support for Excel
Date formatting, output of blank cells and help window in
wordview. Unfortunately, during its development important bug
was found in ole parser code. So I have to publish this release
real soon after previous 0.93.2 Nov 14 2003
Improved performance of OLE parser, fixed problems with
unicode chars 0xFF00-0xFFFF in catdoc, rewrite wordview for
unicode-aware version of Tcl, with support of displaying text
in language different from current locale. Reworked autoconf
configuration.
0.93.1 Sep 24 2003
Fixed numerous bugs in newer OLE and RTF code, including
problem with incorrectly interpreting last (incomplete)
256-byte block of text as Unicode. Restored support for pre-OLE
Word versions, which was accidently lost in 0.93
0.93 July 29 2003
Added proper handling of OLE structure (by Alex Ott).
0.92 June 16 2003
Added RTF parser at last (contributed by Alex Ott). MS-DOS
Executable for xls2csv is included. Some code clean up and
splitting.
0.91.6 May 24 2003
Added autodetect of output charset from current locale.
Fixed handling of RK and MULRK records in xls2csv. No more
missing numbers. Fixed long-standing bug with loosing of first
8 symbols when recoding text file. I finally began to provide
MS-DOS executables for 0.91.x series
0.91.5 January 30 2002
I finally got to catdoc again. UTF-8 output is added. Just
specify utf-8 as output charset.
0.91.4 December 30 1999
Fixed important bug in xls2csv - improper recognition of
numeric cells (as opposed to formula). Fixed segfault when
catdoc is used to recode plain text files.
0.91.3 December 14 1999
Mainly xls2csv fixes - xls2csv now recognizes some options
(man page is in sync), added endianess check to configure, so
xls2csv compilies correctly out of the box on big-endian
machines
0.91.2 October 19 1999
This is first verison which includes xls2csv program. Also,
some long-standed bugs are fixed and newly-introduced bug when
catdoc hangs on broken files. Although these files are not read
properly without -b switch. New charset koi8-u is added to
distribution. If you want to use it in the stable version, just
download it from here and put in the catdoc library directory.
New switch -l is added. It causes catdoc to list available
charsets in current charset path.
0.91.1 October 15 1999
As it was expected it was wrong decision to believe
information about extended charset from word document header.
Now we analyze encoding for each 256-byte page separately
(becouse it is possible that first ones would be 8-bit and
other 16-bit). When processing non-word files (i.e. plain text)
encodings are converted and -u is taken into account, so catdoc
can be used as generic character converter, which supports utf8
and utf16 (both byteorders) as input. 0.91.0 October 12 1999
Implemented new format analyzis. Now most versions of word
format as well as MS-Write and rtf are detected. Boundaries of
main text stream are also detected, so no more garbage is
produced at the end of file 0.90.3 August 11 1999
Fixed small OS-specific bugs - broken isspace in Turbo C
Under DOS and %x was replaced %i for compatibility with SunOS 4.
0.90.2 May 24 1999
Artem Chuprina pointed out to segfault error when
non-existent charset is specified in command line. It turned
out to be silly bug in check_charset function with oneline fix.
You can get one-line patch.
0.90.1 Nov 26 1998
Top-level Makefile now uses $MAKE instead of make
fixed missing end-line escaping in wordview.tcl
All occurences of strcpy, strcat and sprinf investigated
to avoid buffer overflows.
0.90 Oct 29 1998
Fixed bug with charset names redeclared locally in main()
Fixed problem in configure with wish 8.0.3
Catdoc considered to be stable enough for release
0.90b5 Oct 14 1998
Fixed handling of 0x1F char (soft hyphen in Word 6.0),
now it is translated to 0x00AD (unicode soft hyphen)
Fixed permissions for manual page
Added --with-install-root configure arg to simplify
building of binary packages.
0.90b4 September 17 1998
Added proper configuration of library dir in wordview.
Added --disable-charset-check config option
Added 0x2026 symbol in ascii.rpl
Added more Windows codepages in distribution
0.90b3 September 11 1998
Added -x switch to simplify debugging of substitution maps
0.90b2 September 10 1998
Added some symbols is 0x2000-0x20FF range to substituton maps
These symbols occurs in cp1251 so they are frequently found
in Word files. Fixed some filename-handling problems in
wordview.tcl
0.90b1 September 8 1998
Added us-ascii.charset, fixed small bugs in confugre,
install is used for all installation files. Code is
considered stable enough to be beta.
0.90a3 September 7 1998
Fixed small bug in table handling, which caused catdoc to
output extra column delimiter just before row delimiter. Added
autoconf configuration. install is back, although not for
charsets
0.90a2 August 18 1998
version 0.90 was tested on BSDI and Solaris platform. Makefile
was rewritten to avoid use of highly incompatible
/usr/{ucb,bin}/install
0.90a1 August 13 1998
Catdoc undergone major rewrite. Now it has proper charset
handling, including UNICODE and runtime configurability.
0.35 - June 5 1998
Fixed bug with -s switch which prevents catdoc from returning
non-zero code when invoked on UNIX text file
0.34 - Apr 28 1998
Files now opened in binary mode thus allowing catdoc to work on
DOS and simular systems. All specs arrays now have terminating
NULL
0.33 - October 1997
Fixed missing terminating NUL in specs array, which caused
random seqfaults on Linux and many other systems, becouse
_specs_ is searched by _strchr_ fynction
0.32 - August 1997
First major public release, uploaded to CTAN. Tk interface
appeared, manual page was written. Unfortunately, this release
was buggy.