Bug 154989

Summary: RH9: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Product: [Retired] Fedora Legacy Reporter: Dan Williams <dcbw>
Component: openofficeAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rhl9CC: dcbw, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, rh9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-13 00:51:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Williams 2005-04-15 13:41:13 UTC 
+++ This bug was initially created as a clone of Bug #154742 +++

Advisory: http://www.securityfocus.com/bid/13092/
Fedora Core 3 update:
http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00027.html

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Patchfile: patches-OOO_1_1-sot-overflow.diff  (from FC2 & FC3 packages)

See also bug #152784 (CAN-2004-0752) which is not yet fixed in RHL9.
Comment 1 Matthew Miller 2005-04-16 15:07:51 UTC 
This should be fixed in the packages Dan made, available temporarily from
<ftp://evol.bu.edu/openoffice/>, with checksums at
<http://people.redhat.com/dcbw/ooo/rh9-ooo-md5sums.txt>.

Note that there's a mismatch with openoffice-libs-1.0.2-11.2.legacy.i386.rpm
right now -- we'll get that straightened out soon.
Comment 2 Matthew Miller 2005-04-17 03:32:36 UTC 
Okay, fixed. Thanks again to Dan.
Comment 3 Dan Williams 2005-04-17 14:40:40 UTC 
Note that these packages also fix Bug 152784 (CAN-2004-0752 - openoffice.org temp file handling 
bug).
Comment 4 Marc Deslauriers 2005-05-02 12:00:03 UTC 
Packages were pushed to updates-testing.

Thanks again Dan for your help on this issue.
Comment 5 Pekka Savola 2005-05-06 16:39:00 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9:
 
Installed openoffice, -i18n, and -libs.  Installation went smoothly, and
basic functionality (like opening .doc files) seemed to work OK.
 
+VERIFY RHL9
 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCe50QGHbTkzxSL7QRAmVRAKCV4WVXzhCPVM3tO0rK6FcPMv5G4gCfZWpm
iDAunNJFIP3VyR2J+9WxKrQ=
=kwpz
-----END PGP SIGNATURE-----

(Not sure what to put in when the bug has been split across multiple distro
versions, and some of those still need VERIFY while others don't..)
Comment 6 Marc Deslauriers 2005-05-13 00:51:47 UTC 
Released to updates.