Bug 527556 (CVE-2009-3569, CVE-2009-3570, CVE-2009-3571)

Summary: CVE-2009-3569, CVE-2009-3570, CVE-2009-3571 openoffice.org: multiple reported vulnerabilities in OOo
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caolanm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 19:20:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-10-06 22:08:59 UTC
Multiple vulenerabilities were reported against OpenOffice.org; the original report indicates the affected platform is Windows but without any evidence to substantiate that, we cannot claim this does not affect us.


Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3569 to
the following vulnerability:

Name: CVE-2009-3569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3569
Assigned: 20091006
Reference: MISC: http://intevydis.com/vd-list.shtml
Reference: BID:36285
Reference: URL: http://www.securityfocus.com/bid/36285
Reference: SECTRACK:1022832
Reference: URL: http://www.securitytracker.com/id?1022832

Stack-based buffer overflow in OpenOffice.org (OOo) allows remote
attackers to execute arbitrary code via unspecified vectors, as
demonstrated by a certain module in VulnDisco Pack Professional 8.8,
aka "Client-side stack overflow exploit." NOTE: as of 20091005, this
disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes.



Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3570 to
the following vulnerability:

Name: CVE-2009-3570
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3570
Assigned: 20091006
Reference: MISC: http://intevydis.com/vd-list.shtml
Reference: BID:36285
Reference: URL: http://www.securityfocus.com/bid/36285
Reference: SECTRACK:1022828
Reference: URL: http://www.securitytracker.com/id?1022828

Unspecified vulnerability in OpenOffice.org (OOo) has unspecified
impact and remote attack vectors, as demonstrated by a certain module
in VulnDisco Pack Professional 8.9.  NOTE: as of 200901005, this
disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes.



Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3571 to
the following vulnerability:

Name: CVE-2009-3571
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3571
Assigned: 20091006
Reference: MISC: http://intevydis.com/vd-list.shtml
Reference: BID:36285
Reference: URL: http://www.securityfocus.com/bid/36285
Reference: SECTRACK:1022832
Reference: URL: http://www.securitytracker.com/id?1022832

Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact
and client-side attack vector, as demonstrated by a certain module in
VulnDisco Pack Professional 8.8, aka "Client-side exploit." NOTE: as
of 200901005, this disclosure has no actionable information. However,
because the VulnDisco Pack author is a reliable researcher, the issue
is being assigned a CVE identifier for tracking purposes.

Comment 1 Vincent Danen 2010-03-09 20:12:48 UTC
There is currently still no information on these vulnerabilities available.

Comment 2 Vincent Danen 2010-12-21 19:20:14 UTC
This is still no actionable information on this and nothing from upstream regarding it, so it's not possible to know whether these are legitimate vulnerabilities or not.

If we don't know what the problem is, we can't fix it, and this has been open for over a year with no information coming forward anywhere (and no other vendors have found/obtained any information here either.