Bug 462639 (CVE-2008-2237) - CVE-2008-2237 OpenOffice.org WMF integer overflow
Summary: CVE-2008-2237 OpenOffice.org WMF integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2237
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 462642 462643 462644 462645 462719 462720 462721
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-17 18:50 UTC by Josh Bressers
Modified: 2019-09-29 12:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-06 10:59:38 UTC


Attachments (Terms of Use)
upstream's patch (original horrific patch format) (1.17 KB, patch)
2008-09-17 21:58 UTC, Caolan McNamara
no flags Details | Diff
better patch format (1.98 KB, patch)
2008-09-18 07:30 UTC, Caolan McNamara
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0939 normal SHIPPED_LIVE Important: openoffice.org security update 2008-11-05 11:31:51 UTC

Description Josh Bressers 2008-09-17 18:50:07 UTC
The SureRun Security team reported an integer overflow in OpenOffice.org's Windows Metafile (WMF) parser.

To quote the advisory from SureRun:
    The vulnerability exists within the code responsible for parsing the
    META_ESCAPE record in an WMF file. This code reads in two 32-bit
    integers from the file, and then uses them in an arithmetic operation
    that calculates the number of bytes to allocate for a dynamic buffer.
    This calculation can overflow, resulting in an insufficiently sized
    buffer being allocated. Subsequently, this buffer is overflowed with
    data from the file.

Comment 2 Josh Bressers 2008-09-17 19:00:31 UTC
Caolan,

Do you have the upstream patch for this one?

Thanks.

Comment 4 Josh Bressers 2008-09-17 19:04:00 UTC
It looks like the OpenOffice.org 2.0.x branch and below do not support WMF files, hence they should not be affected by this flaw.

It appears to have been added in 2.1.x somewhere.

Comment 6 Caolan McNamara 2008-09-17 21:58:36 UTC
Created attachment 317014 [details]
upstream's patch (original horrific patch format)

I'm not sure that 1.1.X and any particular 2.X.Y are unaffected ? looks like pretty much the same code as current.

Comment 7 Josh Bressers 2008-09-18 00:45:10 UTC
I'm inclined to believe you if you say it affects 1.1.x and 2.x.y.  I couldn't get them to open the WMF format.

Comment 8 Caolan McNamara 2008-09-18 07:30:52 UTC
Created attachment 317041 [details]
better patch format

Insert Picture->From File might have some success in handling a .wmf file on earlier versions

Comment 9 Josh Bressers 2008-09-18 14:44:39 UTC
So it does.  I'll file bugs for the various other versions of OOo we have.

Thanks.

Comment 11 Tomas Hoger 2008-10-29 10:45:04 UTC
Public now via:
  http://www.openoffice.org/security/cves/CVE-2008-2237.html

Fixed upstream in 2.4.2.

Comment 12 Fedora Update System 2008-10-30 08:39:17 UTC
openoffice.org-2.3.0-6.17.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/openoffice.org-2.3.0-6.17.fc8

Comment 13 Fedora Update System 2008-10-30 08:49:33 UTC
openoffice.org-2.4.2-18.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/openoffice.org-2.4.2-18.1.fc9

Comment 14 Fedora Update System 2008-10-31 10:23:40 UTC
openoffice.org-2.4.2-18.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-10-31 10:27:05 UTC
openoffice.org-2.3.0-6.17.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.