[arch] [security] Alert on OpenOffice fixed
JJDaNiMoTh
jjdanimoth at gmail.com
Sun Apr 1 11:40:42 EDT 2007
------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#20
------------------------------------------------------------
Name: openoffice-base
Date: 2007-03-23
Severity: High
Warning #: 2007-#20
------------------------------------------------------------
Product Background
===================
OpenOffice.org is a multiplatform and multilingual office suite and an
open-source project. Compatible with all other major office suites.
Problem Background
===================
iDefense reported an integer overflow flaw in libwpd, a library used
internally to OpenOffice.org for handling Word Perfect documents. An
attacker could create a carefully crafted Word Perfect file that could
cause OpenOffice.org to crash or possibly execute arbitrary code if the
file was opened by a victim. (CVE-2007-1466)
John Heasman discovered a stack overflow in the StarCalc parser in
OpenOffice.org. An attacker could create a carefully crafted StarCalc file
that could cause OpenOffice.org to crash or possibly execute arbitrary code
if the file was opened by a victim. (CVE-2007-0238)
Flaws were discovered in the way OpenOffice.org handled hyperlinks. An
attacker could create an OpenOffice.org document which could run commands
if a victim opened the file and clicked on a malicious hyperlink.
(CVE-2007-0239)
Impact
==========
These vulnerabilities potentially can be exploited by malicious people
to compromise a user's system.
Problem Packages
===================
Package: openoffice-base
Repo: extra
Group: office
Unsafe: < 2.2.0
Safe: >= 2.2.0
Package Fix
===================
Upgrade to 2.2.0.
Anyway, don't open documents from untrusted sources.
===================
Unofficial ArchLinux Security Bug Tracker:
http://jjdanimoth.netsons.org/alsw.html
Reference(s)
===================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1466
http://secunia.com/advisories/24588/
Contact
===================
JJDaNiMoTh <jjdanimoth at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://archlinux.org/pipermail/arch/attachments/20070401/4997a84c/attachment-0002.bin
More information about the arch
mailing list