Bug 725668 - (CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC sprm parser
CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC sprm parser
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20111004,reported=20110726,sou...
: Security
Depends On:
Blocks: 725683
  Show dependency treegraph
 
Reported: 2011-07-26 04:48 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-03-04 05:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-05 06:41:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch1 (677 bytes, patch)
2011-07-26 04:53 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
patch2 (3.61 KB, patch)
2011-07-26 04:54 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
patch3 (629 bytes, patch)
2011-07-26 04:54 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
patch4 (2.46 KB, patch)
2011-07-26 04:55 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
patch5 (1.37 KB, patch)
2011-07-26 04:55 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
combined backport to OpenOffice.org 3.2.1 (8.09 KB, patch)
2011-09-16 12:00 EDT, Caolan McNamara
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2011-07-26 04:48:45 EDT
 A heap-based buffer out-ouf-bounds read was found in the way OpenOffice.org imported certain Microsoft Word Binary File Format (.DOC) file.If a user opened a specially-crafted DOC file in OpenOffice.org suite tool (oowriter), it could lead to denial of service (oowriter executable crash), or possibly, execute arbitrary code with the privileges of the user running OpenOffice.org Writer.

This has been assigned CVE-2011-2713.
Comment 2 Huzaifa S. Sidhpurwala 2011-07-26 04:53:50 EDT
Created attachment 515212 [details]
patch1
Comment 3 Huzaifa S. Sidhpurwala 2011-07-26 04:54:30 EDT
Created attachment 515213 [details]
patch2
Comment 4 Huzaifa S. Sidhpurwala 2011-07-26 04:54:51 EDT
Created attachment 515214 [details]
patch3
Comment 5 Huzaifa S. Sidhpurwala 2011-07-26 04:55:23 EDT
Created attachment 515215 [details]
patch4
Comment 6 Huzaifa S. Sidhpurwala 2011-07-26 04:55:47 EDT
Created attachment 515216 [details]
patch5
Comment 12 Caolan McNamara 2011-09-16 12:00:13 EDT
Created attachment 523579 [details]
combined backport to OpenOffice.org 3.2.1
Comment 13 Huzaifa S. Sidhpurwala 2011-10-05 06:38:42 EDT
This is public via:
http://www.libreoffice.org/advisories/CVE-2011-2713/
Comment 14 Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT
It initially appeared that this flaw may be exploitable similar to CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However in the case of this particular flaw, the junk data read is just parsed into an internal representation of properties and the maximum harm this should cause in application crash (Denial Of Service). 

Timeline:
- Reported to securityteam@openoffice.org on 25-July-2011
- Recieved a reply (with tdf-security@lists.documentfoundation.org copied) on the same date 
- Release date changed with a few delays in between
- Release on 5-Oct-2011


Statement:

This issue results in an OOB read which is not exploitable for arbitrary code execution and can simply cause a crash. We do not consider this as a security issue.
Comment 15 Murray McAllister 2012-10-03 00:20:13 EDT
Acknowledgements:

This issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team.

Note You need to log in before you can comment on or make changes to this bug.