A short integer overflow, leading to heap-based buffer overflow was found in
the way OpenOffice.org Impress presentation aplication processed polygons in
input document. An attacker could use this flaw to create a specially-crafted
Microsoft PowerPoint (PPT) file that, when opened, would cause simpress.bin
executable to crash, or, possibly execute arbitrary code with the privileges
of the user running the ooimpress tool.
Final upstream agreed patch for both issues is here:
(the generic/poly.cxx part of it applies to this bug report).
This issue affects the versions of the openoffice.org package, as shipped
with Red Hat Enterprise Linux 3 and 4.
This issue affects the version of the openoffice.org-impress package, as
shipped with Red Hat Enterprise Linux 5.
This issue affects the versions of the openoffice.org-impress package, as
shipped with Fedora release of 12 and 13. Though the impact of this flaw
is mitigated there. For further details please proceed to:
This issue has been assigned the name CVE-2010-2936.
Created openoffice.org tracking bugs for this issue
Affects: fedora-all [bug 623609]
This issue is not planned to be fixed in Red Hat Enterprise Linux 5,
as its impact is mitigated by standard glibc protection mechanisms to
cause only application abort.
Red Hat Security Response Team does not consider a user-assisted crash
(abort) of a client application, such as OpenOffice.org Impress tool,
to be a security issue.
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Via RHSA-2010:0643 https://rhn.redhat.com/errata/RHSA-2010-0643.html