Bug 622555 - (CVE-2010-2936) CVE-2010-2936 OpenOffice.org: Heap-based buffer overflow by parsing specially-crafted Microsoft PowerPoint document
CVE-2010-2936 OpenOffice.org: Heap-based buffer overflow by parsing specially...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 622831 622833 622857 622858 622859 622861 622862 623608 623609
  Show dependency treegraph
Reported: 2010-08-09 13:45 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-26 10:43:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0643 normal SHIPPED_LIVE Important: openoffice.org security update 2010-08-23 10:32:24 EDT

  None (edit)
Description Jan Lieskovsky 2010-08-09 13:45:32 EDT
A short integer overflow, leading to heap-based buffer overflow was found in 
the way OpenOffice.org Impress presentation aplication processed polygons in 
input document. An attacker could use this flaw to create a specially-crafted
Microsoft PowerPoint (PPT) file that, when opened, would cause simpress.bin 
executable to crash, or, possibly execute arbitrary code with the privileges
of the user running the ooimpress tool.

  [1] http://secunia.com/advisories/40775/
  [2] http://securityevaluators.com/files/papers/CrashAnalysis.pdf
  [3] http://www.openoffice.org/servlets/ReadMsg?list=dev&msgNo=27690

CVE Request:
  [4] http://www.openwall.com/lists/oss-security/2010/08/11/1
Comment 4 Jan Lieskovsky 2010-08-10 06:34:08 EDT
Final upstream agreed patch for both issues is here:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=622529#c6

(the generic/poly.cxx part of it applies to this bug report).
Comment 8 Jan Lieskovsky 2010-08-10 12:41:33 EDT
This issue affects the versions of the openoffice.org package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the version of the openoffice.org-impress package, as
shipped with Red Hat Enterprise Linux 5.


This issue affects the versions of the openoffice.org-impress package, as
shipped with Fedora release of 12 and 13. Though the impact of this flaw
is mitigated there. For further details please proceed to:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=623609#c2
Comment 10 Vincent Danen 2010-08-11 16:38:30 EDT
This issue has been assigned the name CVE-2010-2936.
Comment 12 Jan Lieskovsky 2010-08-12 06:01:56 EDT
Created openoffice.org tracking bugs for this issue

Affects: fedora-all [bug 623609]
Comment 14 Jan Lieskovsky 2010-08-12 11:35:33 EDT

This issue is not planned to be fixed in Red Hat Enterprise Linux 5,
as its impact is mitigated by standard glibc protection mechanisms to
cause only application abort.

Red Hat Security Response Team does not consider a user-assisted crash
(abort) of a client application, such as OpenOffice.org Impress tool,
to be a security issue.
Comment 15 errata-xmlrpc 2010-08-23 10:33:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0643 https://rhn.redhat.com/errata/RHSA-2010-0643.html

Note You need to log in before you can comment on or make changes to this bug.