Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352864 (CVE-2010-3451) - <app-office/openoffice{,-bin}-3.3: multiple vulnerabilities (CVE-2010-{3450,3451,3452,3453,3454,3689,4253,4643})
Summary: <app-office/openoffice{,-bin}-3.3: multiple vulnerabilities (CVE-2010-{3450,3...
Status: RESOLVED FIXED
Alias: CVE-2010-3451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-26 21:17 UTC by Yury German
Modified: 2014-08-31 15:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev Security 2011-01-26 21:17:42 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 2151-1                    security () debian org
http://www.debian.org/security/                             Martin Schulze
January 26th, 2011                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openoffice.org
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453
                 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 

Several security related problems have been discovered in the
OpenOffice.org package that allows malformed documents to trick the
system into crashes or even the execution of arbitrary code.

CVE-2010-3450

    During an internal security audit within Red Hat, a directory
    traversal vulnerability has been discovered in the way
    OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files.  If
    a local user is tricked into opening a specially-crafted OOo XML
    filters package file, this problem could allow remote attackers to
    create or overwrite arbitrary files belonging to local user or,
    potentially, execute arbitrary code.

CVE-2010-3451

    During his work as a consultant at Virtual Security Research
    (VSR), Dan Rosenberg discovered a vulnerability in
    OpenOffice.org's RTF parsing functionality.  Opening a maliciously
    crafted RTF document can caus an out-of-bounds memory read into
    previously allocated heap memory, which may lead to the execution
    of arbitrary code.

CVE-2010-3452

    Dan Rosenberg discovered a vulnerability in the RTF file parser
    which can be leveraged by attackers to achieve arbitrary code
    execution by convincing a victim to open a maliciously crafted RTF
    file.

CVE-2010-3453

    As part of his work with Virtual Security Research, Dan Rosenberg
    discovered a vulnerability in the WW8ListManager::WW8ListManager()
    function of OpenOffice.org that allows a maliciously crafted file
    to cause the execution of arbitrary code.

CVE-2010-3454

    As part of his work with Virtual Security Research, Dan Rosenberg
    discovered a vulnerability in the WW8DopTypography::ReadFromMem()
    function in OpenOffice.org that may be exploited by a maliciously
    crafted file which allowins an attacker to control program flow
    and potentially execute arbitrary code.

CVE-2010-3689

    Dmitri Gribenko discovered that the soffice script does not treat
    an empty LD_LIBRARY_PATH variable like an unset one, may lead to
    the execution of arbitrary code.

CVE-2010-4253

    A heap based buffer overflow has been discovered with unknown impact.

CVE-2010-4643

    A vulnerability has been discovered in the way OpenOffice.org
    handles TGA graphics which can be tricked by a specially crafted
    TGA file that could cause the program to crash due to a heap-based
    buffer overflow with unknown impact.


For the stable distribution (lenny) these problems have been fixed in
version 2.4.1+dfsg-1+lenny11.

For the upcoming stable distribution (squeeze) these problems have
been fixed in version 3.2.1-11+squeeze1.

For the unstable distribution (sid) these problems have been fixed in
version 3.2.1-11+squeeze1.

For the experimental distribution these problems have been fixed in
version 3.3.0~rc3-1.

We recommend that you upgrade your OpenOffice.org packages.


Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: [18]http://www.debian.org/security/

Mailing list: debian-security-announce () lists debian org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNQEkOW5ql+IAeqTIRAp9GAJ0WTb4z3fzW9x3TK3aux2v/zWtIPQCfRdzx
+AX/hG1qBThFdf0f6k2SiMQ=
=O7sd
-----END PGP SIGNATURE-----
Comment 1 Andreas Proschofsky (RETIRED) gentoo-dev 2011-01-29 19:47:36 UTC
We have a bit of a special situation here, basically: I don't plan to do any more updates for app-office/openoffice, people should move to app-office/libreoffice instead. Let me explain why, so everyone understands the reasoning:

*) libreoffice is actually the successor of go-oo / ooo-build which we based our openoffice-releases on since a few years, which also means

*) we didn't have a vanilla openoffice ebuild since quite some time

*) trying to do a vanilla openoffice ebuild is a very unfortunate experience, believe me, we've been there.

*) all other Linux distros are moving to Libreoffice too.

So basically I'd like to deprecate app-office/openoffice soon. And so I ask: Do you have any advice for me how to handle that best?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2011-02-17 05:56:21 UTC
I would recommend that you stabilize the current non vulnerable build (3.3.0 RC 10) so that the vulnerable builds can be masked. 

Then request for stabilization of Libreoffice so that now there is a migration path available for stable builds.

This is just an idea.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-02-18 15:30:35 UTC
(In reply to comment #1)
> So basically I'd like to deprecate app-office/openoffice soon. And so I ask: Do
> you have any advice for me how to handle that best?
> 

So, if you feel that the libreoffice ebuilds are ready for prime time, stabilize them and we'll advise people to migrate to libreoffice in the GLSA.
On the other hand, such things shouldn't really happen during a security update and bumping OOo one last time shouldn't be too much harm.

I guess I'm fine with both alternatives, though slightly preferring the latter.
Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev 2011-02-21 07:07:19 UTC
(In reply to comment #3)
> On the other hand, such things shouldn't really happen during a security update
> and bumping OOo one last time shouldn't be too much harm.

Like I tried to say before: This is not possible without a pretty high amount of extra-work and complications, as a new openoffice-bump would be basically a totally new ebuild. A simple bump is not possible, build-system- and code-wise Libreoffice is the direct successor to what we had in portage before as app-office/openoffice before, NOT the current OpenOffice.org
Comment 5 Andreas Proschofsky (RETIRED) gentoo-dev 2011-07-06 22:25:14 UTC
There have been stable releases of Libreoffice and Libreoffice-bin in the tree for quite some time. So could we please now advice people to move away from openoffice for this bug? (and mask / remove it)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2011-07-11 23:32:59 UTC
CVE-2010-4643 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4643):
  Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x
  before 3.3 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted Truevision TGA
  (TARGA) file in an ODF or Microsoft Office document.

CVE-2010-4253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4253):
  Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x
  before 3.3 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted PNG file in an ODF
  or Microsoft Office document, as demonstrated by a PowerPoint (aka PPT)
  document.

CVE-2010-3454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3454):
  Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in
  oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via crafted typography information in a Microsoft
  Word .DOC file that triggers an out-of-bounds write.

CVE-2010-3453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3453):
  The WW8ListManager::WW8ListManager function in oowriter in OpenOffice.org
  (OOo) 2.x and 3.x before 3.3 does not properly handle an unspecified number
  of list levels in user-defined list styles in WW8 data in a Microsoft Word
  document, which allows remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a crafted .DOC
  file that triggers an out-of-bounds write.
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2011-07-27 10:54:11 UTC
openoffice ebuilds marked for removal. Only leaves around the libreoffice versions that are unaffected.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-08-20 03:40:15 UTC
(In reply to comment #7)
> openoffice ebuilds marked for removal. Only leaves around the libreoffice
> versions that are unaffected.

Ok, thanks. We still need to publish a GLSA; added to existing request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:27:02 UTC
CVE-2010-3689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3689):
  soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length
  directory name in the LD_LIBRARY_PATH, which allows local users to gain
  privileges via a Trojan horse shared library in the current working
  directory.

CVE-2010-3452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3452):
  Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x and 3.x
  before 3.3 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via crafted tags in an RTF
  document.

CVE-2010-3451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3451):
  Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x and 3.x
  before 3.3 allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via malformed tables in an RTF
  document.

CVE-2010-3450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3450):
  Multiple directory traversal vulnerabilities in OpenOffice.org (OOo) 2.x and
  3.x before 3.3 allow remote attackers to overwrite arbitrary files via a ..
  (dot dot) in an entry in (1) an XSLT JAR filter description file, (2) an
  Extension (aka OXT) file, or unspecified other (3) JAR or (4) ZIP files.
Comment 10 Tomáš Chvátal (RETIRED) gentoo-dev 2011-11-10 21:29:06 UTC
Nothing to be done by office team anymore, removing us from cc.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:21:32 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).