Bug 154988 - FC1: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
FC1: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exe...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: openoffice (Show other bugs)
fc1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-15 09:30 EDT by Dan Williams
Modified: 2007-04-18 13:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-12 20:52:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Williams 2005-04-15 09:30:28 EDT
+++ This bug was initially created as a clone of Bug #154742 +++

Advisory: http://www.securityfocus.com/bid/13092/
Fedora Core 3 update:
http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00027.html

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Patchfile: patches-OOO_1_1-sot-overflow.diff  (from FC2 & FC3 packages)

See also bug #152784 (CAN-2004-0752) which is not yet fixed for FC1.
Comment 1 Dan Williams 2005-04-15 09:31:33 EDT
I have packages for FC1 that fix this and bug #152784, but need upload space as
I have exceeded my quota for my people.redhat.com account...
Comment 2 Dan Williams 2005-04-15 09:39:16 EDT
Verified that my FC1 packages are not vulnerable to this bug, using the exploit
document in bug 154540 (vul3.doc).
Comment 3 Dan Williams 2005-04-15 11:38:15 EDT
Packages uploaded to Matthew Miller.

MD5 sums:  http://people.redhat.com/dcbw/ooo/fc1-ooo-md5sums.txt
Comment 4 Matthew Miller 2005-04-16 11:02:30 EDT
Available for download temporarily from <ftp://evol.bu.edu/openoffice/>. Note
that there's currently an md5sum mismatch for 
openoffice-libs-1.0.2-11.2.legacy.i386.rpm, but the rest are good. That should
be corrected soon.
Comment 5 Matthew Miller 2005-04-16 11:08:24 EDT
(Mismatch only affects RHL9, bug #154989. The FC1 packages should be fine.)
Comment 6 Dan Williams 2005-04-17 10:40:42 EDT
Note that these packages also fix Bug 152784 (CAN-2004-0752 - openoffice.org temp file handling 
bug).
Comment 7 Marc Deslauriers 2005-05-01 02:31:58 EDT
Matthew, the ftp site in comment 4 doesn't seem to be responding...
Could you take a look at it, I would like to release these packages.
Comment 8 Marc Deslauriers 2005-05-02 08:01:17 EDT
Packages were pushed to updates-testing.
Comment 9 mschout 2005-05-10 15:45:55 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1
e93f1b81c245b1d5168256b24aa8c82f6dacb2da  openoffice.org-1.1.0-16.2.legacy.i386.rpm
1adaa0cf3764aaef0cd8a9597d24f217ee547d0a 
openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm
2ebd3693673e0320c2d6407696949cf0fef2b9b3 
openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm

signatures:
dsa sha1 md5 gpg OK on all 3 packages

installed without any warnings or errors

I started up writer and calc.  Both appear to work.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgQ8T+CqvSzp9LOwRAil7AKDGNN7kKT8N8BV6ZMzgVJI2D+iUJwCfclDH
Su/3NCDKcCTfTuFTksjTMCU=
=E41b
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-05-12 20:52:06 EDT
Released to updates.

Note You need to log in before you can comment on or make changes to this bug.