A security flaw was found in the way Apache OpenOffice and LibreOffice, office productivity suites, previously used to handle certain, invalid PLCF (Plex of Character Positions in File) elements when parsing selected Microsoft Office Word (DOC) format documents. A remote attacker could provide a specially-crafted DOC format file that, when processed in some application from the Apache OpenOffice or LibreOffice suites would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application. References: [1] http://www.openoffice.org/security/cves/CVE-2013-2189.html [2] http://www.libreoffice.org/advisories/CVE-2013-2189/
Upstream commits: Apache OpenOffice: http://svn.apache.org/r1491721 http://svn.apache.org/r1491725 http://svn.apache.org/r1496364 http://svn.apache.org/r1499266
This issue affects the version of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5. -- This issue did not affect the version of the libreoffice package, as shipped with Red Hat Enterprise Linux 6. -- This issue did not affect the versions of the libreoffice package, as shipped with Fedora release of 18 and 19.
Statement: We do not consider a denial of service flaw in a client application such as OpenOffice to be a security issue.