Bug 154742

Summary: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Product: [Retired] Fedora Legacy Reporter: Matthew Miller <mattdm>
Component: openofficeAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc2CC: dcbw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-13 00:52:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2005-04-13 21:55:28 UTC
Advisory: http://www.securityfocus.com/bid/13092/
Fedora Core 3 update:
http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00027.html

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Filing this for Fedora Core 2; seems like it probably also affects FC1 and RHL9.
(For those releases, also see bug #152784 (CAN-2004-0752) which is already fixed
for FC2.

The (pre-update) FC3 package and FC2 package are basically identical; we should
be able to just rebuild the FC3 package to make our update.

Comment 1 Dan Williams 2005-04-14 16:30:02 UTC
I actually have FC2 packages that I pushed through Beehive right before the
cutoff date happened.  I'd be happy to post them somewhere, since I was just
about to push them to fc2-updates anyway right when the cutoff came around.

Comment 2 Dan Williams 2005-04-14 16:38:25 UTC
packages for FC2 are here:

http://people.redhat.com/dcbw/ooo/

Comment 3 Marc Deslauriers 2005-04-14 21:19:43 UTC
Thanks Dan!

Comment 4 Marc Deslauriers 2005-05-02 12:02:04 UTC
Packages were pushed to updates-testing.

Comment 5 David Curry 2005-05-08 05:26:57 UTC
fc2: openoffice.org-1.1.3-11.4.0.fc2 packages were downloaded into a temporary
directory, checked with rpm -K openoffice*, and installed without any exceptions
or difficulty.

In turn, openoffice.org calc, draw, impress, and writer were opened and used
without encountering any exceptions.  Project management and Math were opened
and closed, but not used.

Tests performed included the following.

WRITER:
1. A new document was created and saved in native oo.o format.  Writer was
closed, reopened and the newly created writer document was opened and closed
without exception or error.
2.  A pre-existing native oo.o format document containing both text and tables
imported from oo.o calc was loaded, edited slightly and saved without error.
3.  A pre-existing .doc file was opened and saved in native oo.o format, as
.pdf, as .rtf, and as .html.  All created documents were subsequently opened
with oo.o.  The .rtf document was also opened with abiword, the .html document
was opened with Konqueror, and the .pdf document was opened with PDF Viewer.

CALC:
1. A pre-existing .xls spreadsheet document of greater size than oo.o can
process was opened.  oo.o continued running, advising the user that rows in
excess of oo.o capacity were not imported.  (Unexpected outcome: Loading of this
spreadsheet file seemed a bit faster than I remembered from earlier versions of
oo.o.)

2.  A new spreadsheet was created using test data and four of the more simple
built-in statistical functions.  No errors or exceptions encountered.
3.  Several existing .xls files containing table lookups, mutiple coloring of
text, statistical functions, relatively sophisticated formating were
successfully opened without observing any indications that formating had changed
or that functions used were not accurately supported.

DRAW, IMPRESS:
1.  Simple new documents were created and saved.  Oo.o was closed, reopened and
the newly created documents were reopened without error.

+verify

Comment 6 Marc Deslauriers 2005-05-13 00:52:24 UTC
Released to updates