Bug 500993 (CVE-2009-0200)

Summary: CVE-2009-0200 OpenOffice.org Word document Integer Underflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caolanm, dtardon, kevin.wilson, kreilly, lihuang, osoukup, security-response-team, yoyzhang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-04 10:36:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 519163, 519164, 519165, 519166, 519167, 519169, 519170    
Bug Blocks:    
Attachments:
Description Flags
my proposed patch
none
final patch (same as the originaly really) none

Description Josh Bressers 2009-05-15 12:13:33 UTC 
Dyon Balding of Secunia Research has reported a flaw in OpenOffice.org's MS Word handling code. When parsing the sprmTDelete record an integer underflow can be triggered that could result in a heap-based buffer overflow.
Comment 3 Caolan McNamara 2009-05-15 12:31:08 UTC 
Created attachment 344137 [details]
my proposed patch
Comment 9 Caolan McNamara 2009-08-21 12:09:12 UTC 
Created attachment 358230 [details]
final patch (same as the originaly really)
Comment 13 Tomas Hoger 2009-08-31 12:55:30 UTC 
New upstream OpenOffice.org release 3.1.1 is out including the fix, details of the flaw remain non-public until Sep11.

http://www.openoffice.org/servlets/ReadMsg?list=announce&msgNo=398
Comment 14 Vincent Danen 2009-09-01 14:27:01 UTC 
This is public now: http://secunia.com/advisories/35036/
Comment 15 Fedora Update System 2009-09-02 07:42:27 UTC 
openoffice.org-3.0.1-15.5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/openoffice.org-3.0.1-15.5.fc10
Comment 16 Fedora Update System 2009-09-03 08:00:56 UTC 
openoffice.org-3.0.1-15.6.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/openoffice.org-3.0.1-15.6.fc10
Comment 18 Fedora Update System 2009-09-04 03:59:47 UTC 
openoffice.org-3.0.1-15.6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2009-09-04 10:24:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1426 https://rhn.redhat.com/errata/RHSA-2009-1426.html
Comment 20 Tomas Hoger 2009-09-04 10:36:48 UTC 
F11 is already updated to fixed upstream version 3.1.1.
Comment 21 Tomas Hoger 2009-09-07 19:05:55 UTC 
OpenOffice.org Security Bulletin:

http://www.openoffice.org/security/cves/CVE-2009-0200-0201.html

Fixed upstream in upstream versions 3.1.1 and 2.4.3.
Comment 22 Kevin 2009-12-09 14:54:53 UTC 
FYI: Downgrade conflict detected. I already have 3.1.1 installed. Update service is reporting I need a security fix of openoffice.org-ure-1:3.0.1-15.6.fc10(i386) but I already have openoffice.org-ure-1.5.1-9420.i586.

I don't believe your UNO runtime environment bug fix should be reported as necessary when a later (but non-fedora supplied) version of OOo is installed.
Comment 23 Caolan McNamara 2009-12-09 15:09:58 UTC 
You have a package called "openoffice.org-ure" from (effectively) a different repository installed on your fedora. Conflicting packages with the same names is unfortunate but neither new nor fully under our control. If you want to mix different repositories which contain conflicting packages using the same name  then you need to disable the packages from the fedora repository, e.g. see man yum.conf and exclude. This is not specific to this or any update.
Comment 24 Kevin 2009-12-09 15:27:36 UTC 
>>Conflicting packages with the same names is unfortunate but neither new nor fully under our control

My apologies. I thought the version of the package would be checked if already detected as installed on the target before a update would be flagged as necessary. I will do as you suggest, thanks for the info.

rpm -qa | grep "openoffice.org"
openoffice.org3-draw-3.1.1-9420.i586
openoffice.org3-math-3.1.1-9420.i586
openoffice.org3-calc-3.1.1-9420.i586
openoffice.org3-dict-fr-3.1.1-9420.i586
openoffice.org3-impress-3.1.1-9420.i586
openoffice.org-ure-1.5.1-9420.i586
openoffice.org3-3.1.1-9420.i586
openoffice.org3-dict-en-3.1.1-9420.i586
openoffice.org3.1-redhat-menus-3.1-9420.noarch
openoffice.org3-base-3.1.1-9420.i586
openoffice.org3-dict-es-3.1.1-9420.i586
openoffice.org3-en-US-3.1.1-9420.i586
openoffice.org3-writer-3.1.1-9420.i586