|Summary:||FC1: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)|
|Product:||[Retired] Fedora Legacy||Reporter:||Dan Williams <dcbw>|
|Component:||openoffice||Assignee:||Fedora Legacy Bugs <bugs>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-05-13 00:52:06 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Dan Williams 2005-04-15 13:30:28 UTC
+++ This bug was initially created as a clone of Bug #154742 +++ Advisory: http://www.securityfocus.com/bid/13092/ Fedora Core 3 update: http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00027.html An attacker may exploit this issue by crafting a malformed .doc file and enticing a user to open this file with the affected application. If a vulnerable user opens this file in OpenOffice, the application may crash due to memory corruption. This issue may also be leveraged to execute arbitrary code in the context of the user running OpenOffice. Patchfile: patches-OOO_1_1-sot-overflow.diff (from FC2 & FC3 packages) See also bug #152784 (CAN-2004-0752) which is not yet fixed for FC1.
Comment 1 Dan Williams 2005-04-15 13:31:33 UTC
I have packages for FC1 that fix this and bug #152784, but need upload space as I have exceeded my quota for my people.redhat.com account...
Comment 2 Dan Williams 2005-04-15 13:39:16 UTC
Verified that my FC1 packages are not vulnerable to this bug, using the exploit document in bug 154540 (vul3.doc).
Comment 3 Dan Williams 2005-04-15 15:38:15 UTC
Packages uploaded to Matthew Miller. MD5 sums: http://people.redhat.com/dcbw/ooo/fc1-ooo-md5sums.txt
Comment 4 Matthew Miller 2005-04-16 15:02:30 UTC
Available for download temporarily from <ftp://evol.bu.edu/openoffice/>. Note that there's currently an md5sum mismatch for openoffice-libs-1.0.2-11.2.legacy.i386.rpm, but the rest are good. That should be corrected soon.
Comment 5 Matthew Miller 2005-04-16 15:08:24 UTC
(Mismatch only affects RHL9, bug #154989. The FC1 packages should be fine.)
Comment 6 Dan Williams 2005-04-17 14:40:42 UTC
Note that these packages also fix Bug 152784 (CAN-2004-0752 - openoffice.org temp file handling bug).
Comment 7 Marc Deslauriers 2005-05-01 06:31:58 UTC
Matthew, the ftp site in comment 4 doesn't seem to be responding... Could you take a look at it, I would like to release these packages.
Comment 8 Marc Deslauriers 2005-05-02 12:01:17 UTC
Packages were pushed to updates-testing.
Comment 9 mschout 2005-05-10 19:45:55 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FC1 Verify: sha1 e93f1b81c245b1d5168256b24aa8c82f6dacb2da openoffice.org-1.1.0-16.2.legacy.i386.rpm 1adaa0cf3764aaef0cd8a9597d24f217ee547d0a openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm 2ebd3693673e0320c2d6407696949cf0fef2b9b3 openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm signatures: dsa sha1 md5 gpg OK on all 3 packages installed without any warnings or errors I started up writer and calc. Both appear to work. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCgQ8T+CqvSzp9LOwRAil7AKDGNN7kKT8N8BV6ZMzgVJI2D+iUJwCfclDH Su/3NCDKcCTfTuFTksjTMCU= =E41b -----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2005-05-13 00:52:06 UTC
Released to updates.