Bug 622555 (CVE-2010-2936)
|Summary:||CVE-2010-2936 OpenOffice.org: Heap-based buffer overflow by parsing specially-crafted Microsoft PowerPoint document|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||caolanm, mjc, security-response-team, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-26 14:43:36 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||622831, 622833, 622857, 622858, 622859, 622861, 622862, 623608, 623609|
Description Jan Lieskovsky 2010-08-09 17:45:32 UTC
A short integer overflow, leading to heap-based buffer overflow was found in the way OpenOffice.org Impress presentation aplication processed polygons in input document. An attacker could use this flaw to create a specially-crafted Microsoft PowerPoint (PPT) file that, when opened, would cause simpress.bin executable to crash, or, possibly execute arbitrary code with the privileges of the user running the ooimpress tool. References:  http://secunia.com/advisories/40775/  http://securityevaluators.com/files/papers/CrashAnalysis.pdf  http://www.openoffice.org/servlets/ReadMsg?list=dev&msgNo=27690 CVE Request:  http://www.openwall.com/lists/oss-security/2010/08/11/1
Comment 4 Jan Lieskovsky 2010-08-10 10:34:08 UTC
Final upstream agreed patch for both issues is here:  https://bugzilla.redhat.com/show_bug.cgi?id=622529#c6 (the generic/poly.cxx part of it applies to this bug report).
Comment 8 Jan Lieskovsky 2010-08-10 16:41:33 UTC
This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the version of the openoffice.org-impress package, as shipped with Red Hat Enterprise Linux 5. -- This issue affects the versions of the openoffice.org-impress package, as shipped with Fedora release of 12 and 13. Though the impact of this flaw is mitigated there. For further details please proceed to:  https://bugzilla.redhat.com/show_bug.cgi?id=623609#c2
Comment 10 Vincent Danen 2010-08-11 20:38:30 UTC
This issue has been assigned the name CVE-2010-2936.
Comment 12 Jan Lieskovsky 2010-08-12 10:01:56 UTC
Created openoffice.org tracking bugs for this issue Affects: fedora-all [bug 623609]
Comment 14 Jan Lieskovsky 2010-08-12 15:35:33 UTC
Statement: This issue is not planned to be fixed in Red Hat Enterprise Linux 5, as its impact is mitigated by standard glibc protection mechanisms to cause only application abort. Red Hat Security Response Team does not consider a user-assisted crash (abort) of a client application, such as OpenOffice.org Impress tool, to be a security issue.