Bug 196679 - CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
Summary: CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117)
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openoffice.org
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Caolan McNamara
QA Contact:
Whiteboard: impact=important,source=openoffice,re...
Keywords: Security
: 196700 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2006-06-26 13:16 UTC by Caolan McNamara
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2006-07-03 16:04:34 UTC

Attachments (Terms of Use)
sample document (431.07 KB, application/vnd.sun.xml.writer)
2006-06-26 13:17 UTC, Caolan McNamara
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0573 normal SHIPPED_LIVE Important: openoffice.org security update 2006-07-03 04:00:00 UTC

Comment 2 Caolan McNamara 2006-06-26 13:20:59 UTC
After all that news about Stardust, some Sun security specialist did some
 deeper security audits in StarOffice. And he did a really great job on that!

He found a solution to put macros into document locations where our
application framework doesn't expect them.
The macros can be contained there for some historical reasons, and some
other code is starting the execution without checking permissions.

The macro will be executed when loading the document, even if macros are
disabled, without any user interaction!

There was an other thing our security specialist found out.

It is possible to write Java applets that breaks out of the sandbox!

People here in StarOffice engineering think the best solution for this
is not to fix the old implementation, but to remove it completely,
because nobody should need Java Applets in StarOffice/OpenOffice.org

We introduced them in a time when StarOffice 5 was a desktop, mail/news
client and - a browser.

I believe OOo people will be happy to remove that old Sun Java code...

But removing it is not an option for the next minor release, and we also
can't be sure if people use that feature.

So we plan to disable them in the configuration.

Sure. I have attached a sxw file (to reproduce it) and the style.xml.The
files are a bit messy but should
demonstrate the issue. If you open the sxw it will crash OO. Also, if
you change the extension if will also
crash the other applications.

The crash allows the for a value to be written to an arbitrary location
in memory. This will lead to command execution in
the context of the current user.

Comment 4 Marcel Holtmann 2006-06-27 14:52:40 UTC
*** Bug 196700 has been marked as a duplicate of this bug. ***

Comment 9 Red Hat Bugzilla 2006-07-03 16:04:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.