Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 154988

Summary: FC1: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Product: [Retired] Fedora Legacy Reporter: Dan Williams <dcbw>
Component: openofficeAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc1CC: dcbw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, 1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-13 00:52:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Williams 2005-04-15 13:30:28 UTC
+++ This bug was initially created as a clone of Bug #154742 +++

Fedora Core 3 update:

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Patchfile: patches-OOO_1_1-sot-overflow.diff  (from FC2 & FC3 packages)

See also bug #152784 (CAN-2004-0752) which is not yet fixed for FC1.

Comment 1 Dan Williams 2005-04-15 13:31:33 UTC
I have packages for FC1 that fix this and bug #152784, but need upload space as
I have exceeded my quota for my account...

Comment 2 Dan Williams 2005-04-15 13:39:16 UTC
Verified that my FC1 packages are not vulnerable to this bug, using the exploit
document in bug 154540 (vul3.doc).

Comment 3 Dan Williams 2005-04-15 15:38:15 UTC
Packages uploaded to Matthew Miller.

MD5 sums:

Comment 4 Matthew Miller 2005-04-16 15:02:30 UTC
Available for download temporarily from <>. Note
that there's currently an md5sum mismatch for 
openoffice-libs-1.0.2-11.2.legacy.i386.rpm, but the rest are good. That should
be corrected soon.

Comment 5 Matthew Miller 2005-04-16 15:08:24 UTC
(Mismatch only affects RHL9, bug #154989. The FC1 packages should be fine.)

Comment 6 Dan Williams 2005-04-17 14:40:42 UTC
Note that these packages also fix Bug 152784 (CAN-2004-0752 - temp file handling 

Comment 7 Marc Deslauriers 2005-05-01 06:31:58 UTC
Matthew, the ftp site in comment 4 doesn't seem to be responding...
Could you take a look at it, I would like to release these packages.

Comment 8 Marc Deslauriers 2005-05-02 12:01:17 UTC
Packages were pushed to updates-testing.

Comment 9 mschout 2005-05-10 19:45:55 UTC
Hash: SHA1

FC1 Verify:


dsa sha1 md5 gpg OK on all 3 packages

installed without any warnings or errors

I started up writer and calc.  Both appear to work.

Version: GnuPG v1.4.1 (FreeBSD)


Comment 10 Marc Deslauriers 2005-05-13 00:52:06 UTC
Released to updates.