Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 154988

Summary: FC1: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Product: [Retired] Fedora Legacy Reporter: Dan Williams <dcbw>
Component: openofficeAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc1CC: dcbw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, 1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-13 00:52:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Williams 2005-04-15 13:30:28 UTC
+++ This bug was initially created as a clone of Bug #154742 +++

Advisory: http://www.securityfocus.com/bid/13092/
Fedora Core 3 update:
http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00027.html

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Patchfile: patches-OOO_1_1-sot-overflow.diff  (from FC2 & FC3 packages)

See also bug #152784 (CAN-2004-0752) which is not yet fixed for FC1.

Comment 1 Dan Williams 2005-04-15 13:31:33 UTC
I have packages for FC1 that fix this and bug #152784, but need upload space as
I have exceeded my quota for my people.redhat.com account...

Comment 2 Dan Williams 2005-04-15 13:39:16 UTC
Verified that my FC1 packages are not vulnerable to this bug, using the exploit
document in bug 154540 (vul3.doc).

Comment 3 Dan Williams 2005-04-15 15:38:15 UTC
Packages uploaded to Matthew Miller.

MD5 sums:  http://people.redhat.com/dcbw/ooo/fc1-ooo-md5sums.txt

Comment 4 Matthew Miller 2005-04-16 15:02:30 UTC
Available for download temporarily from <ftp://evol.bu.edu/openoffice/>. Note
that there's currently an md5sum mismatch for 
openoffice-libs-1.0.2-11.2.legacy.i386.rpm, but the rest are good. That should
be corrected soon.


Comment 5 Matthew Miller 2005-04-16 15:08:24 UTC
(Mismatch only affects RHL9, bug #154989. The FC1 packages should be fine.)

Comment 6 Dan Williams 2005-04-17 14:40:42 UTC
Note that these packages also fix Bug 152784 (CAN-2004-0752 - openoffice.org temp file handling 
bug).

Comment 7 Marc Deslauriers 2005-05-01 06:31:58 UTC
Matthew, the ftp site in comment 4 doesn't seem to be responding...
Could you take a look at it, I would like to release these packages.

Comment 8 Marc Deslauriers 2005-05-02 12:01:17 UTC
Packages were pushed to updates-testing.

Comment 9 mschout 2005-05-10 19:45:55 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1
e93f1b81c245b1d5168256b24aa8c82f6dacb2da  openoffice.org-1.1.0-16.2.legacy.i386.rpm
1adaa0cf3764aaef0cd8a9597d24f217ee547d0a 
openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm
2ebd3693673e0320c2d6407696949cf0fef2b9b3 
openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm

signatures:
dsa sha1 md5 gpg OK on all 3 packages

installed without any warnings or errors

I started up writer and calc.  Both appear to work.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgQ8T+CqvSzp9LOwRAil7AKDGNN7kKT8N8BV6ZMzgVJI2D+iUJwCfclDH
Su/3NCDKcCTfTuFTksjTMCU=
=E41b
-----END PGP SIGNATURE-----

Comment 10 Marc Deslauriers 2005-05-13 00:52:06 UTC
Released to updates.