308015 – (CVE-2009-3569) app-office/openoffice buffer overflow (CVE-2009-{3569,3570,3571})

Bug 308015 (CVE-2009-3569) - app-office/openoffice buffer overflow (CVE-2009-{3569,3570,3571})

Summary: app-office/openoffice buffer overflow (CVE-2009-{3569,3570,3571})

Status:	RESOLVED FIXED

Alias:	CVE-2009-3569

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-03-06 14:33 UTC by Stefan Behte (RETIRED)
Modified:	2013-09-03 02:13 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2010-03-06 14:33:47 UTC

CVE-2009-3569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3569):
  Stack-based buffer overflow in OpenOffice.org (OOo) allows remote
  attackers to execute arbitrary code via unspecified vectors, as
  demonstrated by a certain module in VulnDisco Pack Professional 8.8,
  aka "Client-side stack overflow exploit." NOTE: as of 20091005, this
  disclosure has no actionable information. However, because the
  VulnDisco Pack author is a reliable researcher, the issue is being
  assigned a CVE identifier for tracking purposes.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 15:00:43 UTC

CVE-2009-3570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3570):
  Unspecified vulnerability in OpenOffice.org (OOo) has unspecified
  impact and remote attack vectors, as demonstrated by a certain module
  in VulnDisco Pack Professional 8.9.  NOTE: as of 20091005, this
  disclosure has no actionable information. However, because the
  VulnDisco Pack author is a reliable researcher, the issue is being
  assigned a CVE identifier for tracking purposes.

CVE-2009-3571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3571):
  Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact
  and client-side attack vector, as demonstrated by a certain module in
  VulnDisco Pack Professional 8.8, aka "Client-side exploit." NOTE: as
  of 20091005, this disclosure has no actionable information. However,
  because the VulnDisco Pack author is a reliable researcher, the issue
  is being assigned a CVE identifier for tracking purposes.

Comment 2 Andreas Proschofsky (RETIRED) gentoo-dev

2010-03-08 10:23:20 UTC

To be honest I've real problems to find any useful information in the CVEs,
which version this relates too, what the vulnerability actually is, could you
please help here?

btw: are you sure those are actually valid for Linux

http://securitytracker.com/alerts/2009/Sep/1022832.html

only lists Windows for two of those...

Comment 3 Andreas Proschofsky (RETIRED) gentoo-dev

2010-04-18 13:36:14 UTC

Ping? Any security pros who want to give some inside here? From my perspective these are non-issues for us...

Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev

2010-11-11 19:16:24 UTC

As long as no-one can actually come up with actual proof, that we are concerned by that (or that it's still open) I'd vote for closing this as invalid

Comment 5 Tomáš Chvátal (RETIRED) gentoo-dev

2011-07-26 22:51:16 UTC

Versions not in main tree. As only security people can close sec bugs do whatever you feel like, removing ooo from cc.

Comment 6 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 02:13:03 UTC

Old bug. noglsa.