The SureRun Security team reported an integer overflow in OpenOffice.org's Windows Metafile (WMF) parser.
To quote the advisory from SureRun:
The vulnerability exists within the code responsible for parsing the
META_ESCAPE record in an WMF file. This code reads in two 32-bit
integers from the file, and then uses them in an arithmetic operation
that calculates the number of bytes to allocate for a dynamic buffer.
This calculation can overflow, resulting in an insufficiently sized
buffer being allocated. Subsequently, this buffer is overflowed with
data from the file.
Do you have the upstream patch for this one?
It looks like the OpenOffice.org 2.0.x branch and below do not support WMF files, hence they should not be affected by this flaw.
It appears to have been added in 2.1.x somewhere.
Created attachment 317014 [details]
upstream's patch (original horrific patch format)
I'm not sure that 1.1.X and any particular 2.X.Y are unaffected ? looks like pretty much the same code as current.
I'm inclined to believe you if you say it affects 1.1.x and 2.x.y. I couldn't get them to open the WMF format.
Created attachment 317041 [details]
better patch format
Insert Picture->From File might have some success in handling a .wmf file on earlier versions
So it does. I'll file bugs for the various other versions of OOo we have.
Public now via:
Fixed upstream in 2.4.2.
openoffice.org-2.3.0-6.17.fc8 has been submitted as an update for Fedora 8.
openoffice.org-2.4.2-18.1.fc9 has been submitted as an update for Fedora 9.
openoffice.org-2.4.2-18.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
openoffice.org-2.3.0-6.17.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: