Bug 196679

Summary: CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
Product: Red Hat Enterprise Linux 4 Reporter: Caolan McNamara <caolanm>
Component: openoffice.orgAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=openoffice,reported=20060609,embargo=yes,public=20060629
Fixed In Version: RHSA-2006-0573 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-03 16:04:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sample document none

Comment 2 Caolan McNamara 2006-06-26 13:20:59 UTC 
CVE-2006-2198:
After all that news about Stardust, some Sun security specialist did some
 deeper security audits in StarOffice. And he did a really great job on that!

He found a solution to put macros into document locations where our
application framework doesn't expect them.
The macros can be contained there for some historical reasons, and some
other code is starting the execution without checking permissions.

The macro will be executed when loading the document, even if macros are
disabled, without any user interaction!

CVE-2006-2199:
There was an other thing our security specialist found out.

It is possible to write Java applets that breaks out of the sandbox!

People here in StarOffice engineering think the best solution for this
is not to fix the old implementation, but to remove it completely,
because nobody should need Java Applets in StarOffice/OpenOffice.org
anymore.

We introduced them in a time when StarOffice 5 was a desktop, mail/news
client and - a browser.

I believe OOo people will be happy to remove that old Sun Java code...

But removing it is not an option for the next minor release, and we also
can't be sure if people use that feature.

So we plan to disable them in the configuration.

CVE-2006-3117:
Sure. I have attached a sxw file (to reproduce it) and the style.xml.The
files are a bit messy but should
demonstrate the issue. If you open the sxw it will crash OO. Also, if
you change the extension if will also
crash the other applications.

The crash allows the for a value to be written to an arbitrary location
in memory. This will lead to command execution in
the context of the current user.
Comment 4 Marcel Holtmann 2006-06-27 14:52:40 UTC 
*** Bug 196700 has been marked as a duplicate of this bug. ***
Comment 9 Red Hat Bugzilla 2006-07-03 16:04:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0573.html