Red Hat Bugzilla – Bug 196679
CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
Last modified: 2007-11-30 17:07:25 EST
After all that news about Stardust, some Sun security specialist did some
deeper security audits in StarOffice. And he did a really great job on that!
He found a solution to put macros into document locations where our
application framework doesn't expect them.
The macros can be contained there for some historical reasons, and some
other code is starting the execution without checking permissions.
The macro will be executed when loading the document, even if macros are
disabled, without any user interaction!
There was an other thing our security specialist found out.
It is possible to write Java applets that breaks out of the sandbox!
People here in StarOffice engineering think the best solution for this
is not to fix the old implementation, but to remove it completely,
because nobody should need Java Applets in StarOffice/OpenOffice.org
We introduced them in a time when StarOffice 5 was a desktop, mail/news
client and - a browser.
I believe OOo people will be happy to remove that old Sun Java code...
But removing it is not an option for the next minor release, and we also
can't be sure if people use that feature.
So we plan to disable them in the configuration.
Sure. I have attached a sxw file (to reproduce it) and the style.xml.The
files are a bit messy but should
demonstrate the issue. If you open the sxw it will crash OO. Also, if
you change the extension if will also
crash the other applications.
The crash allows the for a value to be written to an arbitrary location
in memory. This will lead to command execution in
the context of the current user.
*** Bug 196700 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.