Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0136 to the following vulnerability: OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. References: http://www.mail-archive.com/debian-openoffice@lists.debian.org/msg23178.html http://www.debian.org/security/2010/dsa-1995 http://www.securityfocus.com/bid/38245 http://securitytracker.com/id?1023588
Created attachment 394694 [details] sample document
This should be a ooo-build only problem in the 2.X.Y series. We don't use ooo-build for >= 1.X.Y so we shouldn't be affected by this fairly recent not-upstreamed-yet implementation-gone-awry. Sample document above can be used to verify that. i.e. loading it won't flip to sheet overview, etc. So this can be closed out in that case.
Upstream commit: http://cgit.freedesktop.org/ooo-build/ooo-build/commit/?id=6b2dcdd928b5851e32ba50198099bcaabec058fa
This flaw exists in the implementation of VBA macros support for OpenOffice.org. This support is not (yet) part of upstream OpenOffice.org source, but only part of ooo-build / GO-OO patch set, which is not used in Red Hat OpenOffice.org packages version 2 and later.