Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 154742 - CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arbitrary code)
Summary: CAN-2005-0941: remote heap overflow vulnerability (bad .doc file can exec arb...
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: openoffice
Version: fc2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-13 21:55 UTC by Matthew Miller
Modified: 2007-04-18 17:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-13 00:52:24 UTC

Attachments (Terms of Use)

Description Matthew Miller 2005-04-13 21:55:28 UTC
Fedora Core 3 update:

  An attacker may exploit this issue by crafting a malformed .doc file and 
  enticing a user to open this file with the affected application. If a vulnerable
  user opens this file in OpenOffice, the application may crash due to memory 
  corruption. This issue may also be leveraged to execute arbitrary code in the 
  context of the user running OpenOffice. 

Filing this for Fedora Core 2; seems like it probably also affects FC1 and RHL9.
(For those releases, also see bug #152784 (CAN-2004-0752) which is already fixed
for FC2.

The (pre-update) FC3 package and FC2 package are basically identical; we should
be able to just rebuild the FC3 package to make our update.

Comment 1 Dan Williams 2005-04-14 16:30:02 UTC
I actually have FC2 packages that I pushed through Beehive right before the
cutoff date happened.  I'd be happy to post them somewhere, since I was just
about to push them to fc2-updates anyway right when the cutoff came around.

Comment 2 Dan Williams 2005-04-14 16:38:25 UTC
packages for FC2 are here:

Comment 3 Marc Deslauriers 2005-04-14 21:19:43 UTC
Thanks Dan!

Comment 4 Marc Deslauriers 2005-05-02 12:02:04 UTC
Packages were pushed to updates-testing.

Comment 5 David Curry 2005-05-08 05:26:57 UTC
fc2: packages were downloaded into a temporary
directory, checked with rpm -K openoffice*, and installed without any exceptions
or difficulty.

In turn, calc, draw, impress, and writer were opened and used
without encountering any exceptions.  Project management and Math were opened
and closed, but not used.

Tests performed included the following.

1. A new document was created and saved in native oo.o format.  Writer was
closed, reopened and the newly created writer document was opened and closed
without exception or error.
2.  A pre-existing native oo.o format document containing both text and tables
imported from oo.o calc was loaded, edited slightly and saved without error.
3.  A pre-existing .doc file was opened and saved in native oo.o format, as
.pdf, as .rtf, and as .html.  All created documents were subsequently opened
with oo.o.  The .rtf document was also opened with abiword, the .html document
was opened with Konqueror, and the .pdf document was opened with PDF Viewer.

1. A pre-existing .xls spreadsheet document of greater size than oo.o can
process was opened.  oo.o continued running, advising the user that rows in
excess of oo.o capacity were not imported.  (Unexpected outcome: Loading of this
spreadsheet file seemed a bit faster than I remembered from earlier versions of

2.  A new spreadsheet was created using test data and four of the more simple
built-in statistical functions.  No errors or exceptions encountered.
3.  Several existing .xls files containing table lookups, mutiple coloring of
text, statistical functions, relatively sophisticated formating were
successfully opened without observing any indications that formating had changed
or that functions used were not accurately supported.

1.  Simple new documents were created and saved.  Oo.o was closed, reopened and
the newly created documents were reopened without error.


Comment 6 Marc Deslauriers 2005-05-13 00:52:24 UTC
Released to updates

Note You need to log in before you can comment on or make changes to this bug.