Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 332321 (CVE-2010-2935) - <app-office/openoffice-{3.2.1-r1,bin-3.3.0}: Two Heap Overflows in OpenOffice Impress (CVE-2010-{2935,2936})
Summary: <app-office/openoffice-{3.2.1-r1,bin-3.3.0}: Two Heap Overflows in OpenOffice...
Status: RESOLVED FIXED
Alias: CVE-2010-2935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on: 345309
Blocks:
  Show dependency tree
 
Reported: 2010-08-11 18:19 UTC by Tim Sammut (RETIRED)
Modified: 2014-08-31 15:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-08-11 18:19:29 UTC
From http://www.openwall.com/lists/oss-security/2010/08/11/1

Two security flaws have been reported against OpenOffice.org's Impress tool:
    [1] http://securityevaluators.com/files/papers/CrashAnalysis.pdf

A, an integer truncation error, leading to heap-based buffer overflow when
   processing dictionary property items of the input *.ppt file:

   References:
     [2] https://bugzilla.redhat.com/show_bug.cgi?id=622529
     [3] http://secunia.com/advisories/40775/
     [4] http://securityevaluators.com/files/papers/CrashAnalysis.pdf
     [5] http://www.openoffice.org/servlets/ReadMsg?list=dev&msgNo=27690

B, a short integer overflow, leading to heap-based buffer overflow, when processing
   *.ppt document with too big polygons

   References:
     [6] https://bugzilla.redhat.com/show_bug.cgi?id=622555
     [7] http://secunia.com/advisories/40775/
     [8] http://securityevaluators.com/files/papers/CrashAnalysis.pdf
     [9] http://www.openoffice.org/servlets/ReadMsg?list=dev&msgNo=27690 

The Red Hat bug appears to have an upstream-approved patch.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-08-11 20:23:06 UTC
CVEs assigned.

> A, an integer truncation error, leading to heap-based buffer overflow
> > when
> >     processing dictionary property items of the input *.ppt file:

CVE-2010-2935

> > 
> > B, a short integer overflow, leading to heap-based buffer overflow,
> > when processing
> >     *.ppt document with too big polygons

CVE-2010-2936
Comment 2 Andreas Proschofsky (RETIRED) gentoo-dev 2010-11-11 19:27:43 UTC
Sorry for being awfully late on this. Anyway: This is fixed now in openoffice-3.2.1-r1

For openoffice-bin we have to wait for 3.3.0 unfortunately... Nothing we can do here
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 22:55:57 UTC
@openoffice, can we stabilize =app-office/openoffice-bin-3.3.0?
Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev 2011-03-19 23:25:20 UTC
(In reply to comment #3)
> @openoffice, can we stabilize =app-office/openoffice-bin-3.3.0?

It's still a bit new in the tree, but not one single bug has been filed against it until now. Also -bin updates are usually pretty uncomplicated. So I would say: Yes.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 23:41:01 UTC
(In reply to comment #4)
> So I would say: Yes.

Great, thank you.

Arches, please test and mark stable:
=app-office/openoffice-bin-3.3.0
Target keywords : "amd64 x86"
Comment 6 blain 'Doc' Anderson 2011-03-20 00:11:04 UTC
amd64 installed fine
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-20 15:54:27 UTC
x86 stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-03-21 11:45:22 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 14:26:24 UTC
Thanks, again everyone. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:21:25 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).