Bug 475831 (CVE-2009-0259)

Summary: CVE-2009-0259 openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: caolanm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://milw0rm.com/sploits/2008-crash.doc.rar
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-23 15:17:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
vcl10
none
this will probably work, trying a test-build at the moment none

Description Jan Lieskovsky 2008-12-10 18:17:27 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4841 to
the following vulnerability:

The WordPad Text Converter for Word 97 files in Microsoft Windows 2000
SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to
execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf
Word 97 file that triggers memory corruption, as exploited in the wild
in December 2008. NOTE: As of 20081210, it is unclear whether this
vulnerability is related to a WordPad issue disclosed on 20080925 with
a 2008-crash.doc.rar example, but there are insufficient details to be
sure.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4841
http://www.milw0rm.com/exploits/6560
http://milw0rm.com/sploits/2008-crash.doc.rar
http://www.microsoft.com/technet/security/advisory/960906.mspx
http://www.securityfocus.com/bid/31399
http://www.securityfocus.com/bid/32718
http://securitytracker.com/id?1021376
http://secunia.com/advisories/32997
Comment 1 Jan Lieskovsky 2008-12-10 18:19:14 UTC 
This issue affects the version of the openoffice.org package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the version of the openoffice.org package,
as shipped with Red Hat Enterprise Linux 5.
Comment 5 Caolan McNamara 2008-12-11 09:26:21 UTC 
The trace looks very like the old stack of http://qa.openoffice.org/issues/show_bug.cgi?id=12936
Comment 7 Caolan McNamara 2009-01-21 10:50:40 UTC 
Created attachment 329582 [details]
vcl10

This is the change, but as per the issue "problem does not exist anymore in current version; however i found a side effect which while debugging: this would cause type1 fonts with adjacent afm files not to be recognized."
Comment 11 Jan Lieskovsky 2009-01-23 07:53:17 UTC 
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-0259
to this vulnerability for the OpenOffice case:

The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows
remnote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf
Word 97 file that triggers memory corruption, as exploited in the wild
in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar
issue to CVE-2008-4841.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0259
http://www.milw0rm.com/exploits/6560
http://milw0rm.com/sploits/2008-crash.doc.rar
http://www.openwall.com/lists/oss-security/2009/01/21/9
Comment 12 Caolan McNamara 2009-01-23 11:21:51 UTC 
Created attachment 329810 [details]
this will probably work, trying a test-build at the moment
Comment 13 Jan Lieskovsky 2009-01-23 14:59:17 UTC 
Official statement:

The Red Hat Security Response Team is not considering
this issue to be a security vulnerability due the fact,
we does not treat a crash of a user application as 
a security flaw.