CVE-2006-2198: After all that news about Stardust, some Sun security specialist did some deeper security audits in StarOffice. And he did a really great job on that! He found a solution to put macros into document locations where our application framework doesn't expect them. The macros can be contained there for some historical reasons, and some other code is starting the execution without checking permissions. The macro will be executed when loading the document, even if macros are disabled, without any user interaction! CVE-2006-2199: There was an other thing our security specialist found out. It is possible to write Java applets that breaks out of the sandbox! People here in StarOffice engineering think the best solution for this is not to fix the old implementation, but to remove it completely, because nobody should need Java Applets in StarOffice/OpenOffice.org anymore. We introduced them in a time when StarOffice 5 was a desktop, mail/news client and - a browser. I believe OOo people will be happy to remove that old Sun Java code... But removing it is not an option for the next minor release, and we also can't be sure if people use that feature. So we plan to disable them in the configuration. CVE-2006-3117: Sure. I have attached a sxw file (to reproduce it) and the style.xml.The files are a bit messy but should demonstrate the issue. If you open the sxw it will crash OO. Also, if you change the extension if will also crash the other applications. The crash allows the for a value to be written to an arbitrary location in memory. This will lead to command execution in the context of the current user.
*** Bug 196700 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0573.html