Bug 462639 (CVE-2008-2237)
| Summary: | CVE-2008-2237 OpenOffice.org WMF integer overflow | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | caolanm, dtardon, kreilly | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-11-06 10:59:38 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 462642, 462643, 462644, 462645, 462719, 462720, 462721 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Caolan, Do you have the upstream patch for this one? Thanks. It looks like the OpenOffice.org 2.0.x branch and below do not support WMF files, hence they should not be affected by this flaw. It appears to have been added in 2.1.x somewhere. Created attachment 317014 [details]
upstream's patch (original horrific patch format)
I'm not sure that 1.1.X and any particular 2.X.Y are unaffected ? looks like pretty much the same code as current.
I'm inclined to believe you if you say it affects 1.1.x and 2.x.y. I couldn't get them to open the WMF format. Created attachment 317041 [details]
better patch format
Insert Picture->From File might have some success in handling a .wmf file on earlier versions
So it does. I'll file bugs for the various other versions of OOo we have. Thanks. Public now via: http://www.openoffice.org/security/cves/CVE-2008-2237.html Fixed upstream in 2.4.2. openoffice.org-2.3.0-6.17.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/openoffice.org-2.3.0-6.17.fc8 openoffice.org-2.4.2-18.1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/openoffice.org-2.4.2-18.1.fc9 openoffice.org-2.4.2-18.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. openoffice.org-2.3.0-6.17.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0939.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9333 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9313 |
The SureRun Security team reported an integer overflow in OpenOffice.org's Windows Metafile (WMF) parser. To quote the advisory from SureRun: The vulnerability exists within the code responsible for parsing the META_ESCAPE record in an WMF file. This code reads in two 32-bit integers from the file, and then uses them in an arithmetic operation that calculates the number of bytes to allocate for a dynamic buffer. This calculation can overflow, resulting in an insufficiently sized buffer being allocated. Subsequently, this buffer is overflowed with data from the file.