Red Hat Bugzilla – Bug 154742
CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Last modified: 2007-04-18 13:23:42 EDT
Fedora Core 3 update:
An attacker may exploit this issue by crafting a malformed .doc file and
enticing a user to open this file with the affected application. If a vulnerable
user opens this file in OpenOffice, the application may crash due to memory
corruption. This issue may also be leveraged to execute arbitrary code in the
context of the user running OpenOffice.
Filing this for Fedora Core 2; seems like it probably also affects FC1 and RHL9.
(For those releases, also see bug #152784 (CAN-2004-0752) which is already fixed
The (pre-update) FC3 package and FC2 package are basically identical; we should
be able to just rebuild the FC3 package to make our update.
I actually have FC2 packages that I pushed through Beehive right before the
cutoff date happened. I'd be happy to post them somewhere, since I was just
about to push them to fc2-updates anyway right when the cutoff came around.
packages for FC2 are here:
Packages were pushed to updates-testing.
fc2: openoffice.org-1.1.3-11.4.0.fc2 packages were downloaded into a temporary
directory, checked with rpm -K openoffice*, and installed without any exceptions
In turn, openoffice.org calc, draw, impress, and writer were opened and used
without encountering any exceptions. Project management and Math were opened
and closed, but not used.
Tests performed included the following.
1. A new document was created and saved in native oo.o format. Writer was
closed, reopened and the newly created writer document was opened and closed
without exception or error.
2. A pre-existing native oo.o format document containing both text and tables
imported from oo.o calc was loaded, edited slightly and saved without error.
3. A pre-existing .doc file was opened and saved in native oo.o format, as
.pdf, as .rtf, and as .html. All created documents were subsequently opened
with oo.o. The .rtf document was also opened with abiword, the .html document
was opened with Konqueror, and the .pdf document was opened with PDF Viewer.
1. A pre-existing .xls spreadsheet document of greater size than oo.o can
process was opened. oo.o continued running, advising the user that rows in
excess of oo.o capacity were not imported. (Unexpected outcome: Loading of this
spreadsheet file seemed a bit faster than I remembered from earlier versions of
2. A new spreadsheet was created using test data and four of the more simple
built-in statistical functions. No errors or exceptions encountered.
3. Several existing .xls files containing table lookups, mutiple coloring of
text, statistical functions, relatively sophisticated formating were
successfully opened without observing any indications that formating had changed
or that functions used were not accurately supported.
1. Simple new documents were created and saved. Oo.o was closed, reopened and
the newly created documents were reopened without error.
Released to updates