From ${URL} : OpenOffice HWP Filter Remote Code Execution and Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache OpenOffice 4.1.1 and older. OpenOffice.org versions are also affected. Description A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. Mitigation Apache OpenOffice users are advised to remove the problematic library in the "program" folder of their OpenOffice installation. On Windows it is named "hwp.dll", on Mac it is named "libhwp.dylib" (step-by-step instructions: go to the Applications folder in Finder; right click on OpenOffice.app; click on "Show Package Contents"; then search for the file "libhwp.dylib" with Finder's search function, or Look for it in the folder "Contents/MacOS"; then delete the file) and on Linux it is named "libhwp.so". Alternatively the library can be renamed to anything else e.g. "hwp_renamed.dll". This mitigation will drop support for documents created in "Hangul Word Processor" versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so. Further information Apache OpenOffice aims to fix the vulnerability in version 4.1.2, not released yet. Credits Thanks to an anonymous contributor working with VeriSign iDefense Labs. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches, please test and mark stable: =app-office/openoffice-bin-4.1.2 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05 by GLSA coordinator Kristian Fiskerstrand (K_F).
