Red Hat Bugzilla – Bug 475831
CVE-2009-0259 openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
Last modified: 2009-01-23 10:17:03 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4841 to the following vulnerability: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4841 http://www.milw0rm.com/exploits/6560 http://milw0rm.com/sploits/2008-crash.doc.rar http://www.microsoft.com/technet/security/advisory/960906.mspx http://www.securityfocus.com/bid/31399 http://www.securityfocus.com/bid/32718 http://securitytracker.com/id?1021376 http://secunia.com/advisories/32997
This issue affects the version of the openoffice.org package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue does NOT affect the version of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5.
The trace looks very like the old stack of http://qa.openoffice.org/issues/show_bug.cgi?id=12936
Created attachment 329582 [details] vcl10 This is the change, but as per the issue "problem does not exist anymore in current version; however i found a side effect which while debugging: this would cause type1 fonts with adjacent afm files not to be recognized."
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-0259 to this vulnerability for the OpenOffice case: The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remnote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0259 http://www.milw0rm.com/exploits/6560 http://milw0rm.com/sploits/2008-crash.doc.rar http://www.openwall.com/lists/oss-security/2009/01/21/9
Created attachment 329810 [details] this will probably work, trying a test-build at the moment
Official statement: The Red Hat Security Response Team is not considering this issue to be a security vulnerability due the fact, we does not treat a crash of a user application as a security flaw.