CVE-2024-54028: 
Linux Debian vulnerability analysis and mitigation

An integer underflow vulnerability (CVE-2024-54028) was discovered in the OLE Document DIFAT Parser functionality of catdoc 0.95. The vulnerability was discovered by Cisco Talos and publicly disclosed on June 2, 2025. The affected software includes catdoc and its related utilities (xls2csv and catppt), which are command-line tools designed to extract plaintext from Microsoft Office documents (Talos Report).

The vulnerability exists in the OLE Document DIFAT Parser where an integer underflow can occur when processing sector sizes. When the sectorSize is less than 4, it triggers an integer underflow in the calculation (sectorSize-4)*i, resulting in the fread function storing data outside the bounds of the heap allocation. This occurs specifically when processing 16-bit integers at offset 0x1E of the file that determine the sector and minisector sizes. The vulnerability has been assigned a CVSS v3.1 score of 8.4 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Talos Report).

The vulnerability can lead to heap-based memory corruption when processing specially crafted malformed files. This can potentially allow for code execution under the context of the binary. The impact is particularly significant as catdoc is used by several filesystem indexers, including KDE's Baloo, for providing full text search capabilities for document contents (Talos Report).

The vulnerability was reported to the vendor on January 7, 2025, with follow-up contact on January 14, 2025. The vendor was officially notified on January 16, 2025. As of the public disclosure on June 2, 2025, users should monitor for updates from the vendor for a patched version (Talos Report).