Bug 622529 (CVE-2010-2935)

Summary: CVE-2010-2935 OpenOffice.Org: Integer truncation error by parsing specially-crafted Microsoft PowerPoint document
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caolanm, mjc, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-15 21:41:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 622831, 622833, 622857, 622858, 622859, 622861, 622862, 623608, 623609    
Bug Blocks:    
Attachments:
Description Flags
final upstream agreed patch, essentially the same none

Description Jan Lieskovsky 2010-08-09 16:05:01 UTC 
An integer truncation error, leading to heap-based buffer overflow was
found in the way OpenOffice.org Impress presentation application
sanitized dictionary property items of the processed file. An attacker
could use this flaw to create a specially-crafted Microsoft PowerPoint
(PPT) file that, when opened, would cause simpress.bin executable to
crash, or, possibly execute arbitrary code with the privileges of the
user running the ooimpress tool.

References:
  [1] http://secunia.com/advisories/40775/
  [2] http://securityevaluators.com/files/papers/CrashAnalysis.pdf
  [3] http://www.openoffice.org/servlets/ReadMsg?list=dev&msgNo=27690

CVE Request:
  [4] http://www.openwall.com/lists/oss-security/2010/08/11/1
Comment 5 Jan Lieskovsky 2010-08-09 16:22:00 UTC 
This issue affects the versions of the openoffice.org package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the version of the openoffice.org-impress package, as
shipped with Red Hat Enterprise Linux 5.

--

This issue affects the versions of the openoffice.org-impress package, as shipped with Fedora release of 12 and 13. Though the impact of this flaw
is mitigated there. For further details, please proceed to:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=623609#c2
Comment 6 Caolan McNamara 2010-08-09 17:46:37 UTC 
Created attachment 437664 [details]
final upstream agreed patch, essentially the same
Comment 11 Vincent Danen 2010-08-11 20:37:35 UTC 
This issue has been assigned the name CVE-2010-2935.
Comment 13 Jan Lieskovsky 2010-08-12 10:01:22 UTC 
Created openoffice.org tracking bugs for this issue

Affects: fedora-all [bug 623609]
Comment 15 Jan Lieskovsky 2010-08-12 15:33:59 UTC 
Statement:

This issue is not planned to be fixed in Red Hat Enterprise Linux 5, as its impact is mitigated by standard glibc protection mechanisms to cause only application abort.

Red Hat Security Response Team does not consider a user-assisted crash (abort) of a client application, such as OpenOffice.org Impress tool, to be a security issue.
Comment 16 errata-xmlrpc 2010-08-23 14:33:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0643 https://rhn.redhat.com/errata/RHSA-2010-0643.html