Bug 196679 - CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openoffice.org (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Caolan McNamara
: Security
: 196700 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-06-26 09:16 EDT by Caolan McNamara
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2006-0573
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-03 12:04:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sample document (431.07 KB, application/vnd.sun.xml.writer)
2006-06-26 09:17 EDT, Caolan McNamara
no flags Details

  None (edit)
Comment 2 Caolan McNamara 2006-06-26 09:20:59 EDT
After all that news about Stardust, some Sun security specialist did some
 deeper security audits in StarOffice. And he did a really great job on that!

He found a solution to put macros into document locations where our
application framework doesn't expect them.
The macros can be contained there for some historical reasons, and some
other code is starting the execution without checking permissions.

The macro will be executed when loading the document, even if macros are
disabled, without any user interaction!

There was an other thing our security specialist found out.

It is possible to write Java applets that breaks out of the sandbox!

People here in StarOffice engineering think the best solution for this
is not to fix the old implementation, but to remove it completely,
because nobody should need Java Applets in StarOffice/OpenOffice.org

We introduced them in a time when StarOffice 5 was a desktop, mail/news
client and - a browser.

I believe OOo people will be happy to remove that old Sun Java code...

But removing it is not an option for the next minor release, and we also
can't be sure if people use that feature.

So we plan to disable them in the configuration.

Sure. I have attached a sxw file (to reproduce it) and the style.xml.The
files are a bit messy but should
demonstrate the issue. If you open the sxw it will crash OO. Also, if
you change the extension if will also
crash the other applications.

The crash allows the for a value to be written to an arbitrary location
in memory. This will lead to command execution in
the context of the current user.
Comment 4 Marcel Holtmann 2006-06-27 10:52:40 EDT
*** Bug 196700 has been marked as a duplicate of this bug. ***
Comment 9 Red Hat Bugzilla 2006-07-03 12:04:34 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.