Bug 217347

Summary: CVE-2006-5870 WMF heap overflow
Product: Red Hat Enterprise Linux 4 Reporter: Mark J. Cox <mjc>
Component: openoffice.orgAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20061123,source=suse,public=20061212,impact=important
Fixed In Version: RHSA-2007-0001 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-03 18:41:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch none

Description Mark J. Cox 2006-11-27 11:33:45 UTC 
The OpenOffice folks have a patch to catch corrupt wmf/emf files with out of
bounds values in the emf/wmf file.  An attacker could create a malicious file in
such a way it may be able to execute arbitrary code if opened in OpenOffice by a
victim.  Since this requires user interaction it is severity important.

http://www.openoffice.org/issues/show_bug.cgi?id=70042

Affects: RHEL3, RHEL4
Comment 1 Mark J. Cox 2006-11-27 11:33:45 UTC 
Created attachment 142161 [details]
Proposed patch
Comment 2 Josh Bressers 2006-12-04 21:46:23 UTC 
Any news on this update?
Comment 3 Caolan McNamara 2006-12-05 08:59:45 UTC 
There's a lot of building in 5 OOos :-)

RHEL-3: openoffice.org-1.1.2-35.2.0.EL3
RHEL-4: openoffice.org-1.1.5-5.6.0.EL4
RHEL-5: openoffice_org-2.0.4-5.4.12 (bug 217348) 
FC-5:   openoffice.org-2.0.2-5.20.2
FC-6:   openoffice.org-2.0.4-5.5.7

I suspect the embargo date should be pushed out to 12.12.2006 to match 2.1
release date
Comment 8 Josh Bressers 2007-01-03 12:35:34 UTC 
This issue is public:
http://www.openoffice.org/servlets/ReadMsg?list=releases&msgNo=10454
Comment 9 Red Hat Bugzilla 2007-01-03 18:41:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0001.html