[BSA-020] Security Update for openoffice.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rene Engelhard uploaded new packages for OpenOffice.org which fixed the
following security problems:
CVE-2010-3450 =
=20
=
=20
During an internal security audit within Red Hat, a directory =
=20
traversal vulnerability has been discovered in the way =
=20
OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If =
=20
a local user is tricked into opening a specially-crafted OOo XML =
=20
filters package file, this problem could allow remote attackers to =
=20
create or overwrite arbitrary files belonging to local user or, =
=20
potentially, execute arbitrary code. =
=20
=
=20
CVE-2010-3451 =
=20
=
=20
During his work as a consultant at Virtual Security Research =
=20
(VSR), Dan Rosenberg discovered a vulnerability in =
=20
OpenOffice.org's RTF parsing functionality. Opening a maliciously =
=20
crafted RTF document can caus an out-of-bounds memory read into =
=20
previously allocated heap memory, which may lead to the execution =
=20
of arbitrary code. =
=20
=
=20
CVE-2010-3452 =
=20
=
=20
Dan Rosenberg discovered a vulnerability in the RTF file parser =
=20
which can be leveraged by attackers to achieve arbitrary code =
=20
execution by convincing a victim to open a maliciously crafted RTF =
=20
file. =
=20
=
=20
CVE-2010-3453 =
=20
=
=20
As part of his work with Virtual Security Research, Dan Rosenberg =
=20
discovered a vulnerability in the WW8ListManager::WW8ListManager() =
=20
function of OpenOffice.org that allows a maliciously crafted file =
=20
to cause the execution of arbitrary code. =20
CVE-2010-3454 =
=20
=
=20
As part of his work with Virtual Security Research, Dan Rosenberg =
=20
discovered a vulnerability in the WW8DopTypography::ReadFromMem() =
=20
function in OpenOffice.org that may be exploited by a maliciously =
=20
crafted file which allowins an attacker to control program flow =
=20
and potentially execute arbitrary code. =
=20
=
=20
CVE-2010-3689 =
=20
=
=20
Dmitri Gribenko discovered that the soffice script does not treat =
=20
an empty LD_LIBRARY_PATH variable like an unset one, may lead to =
=20
the execution of arbitrary code. =
=20
=
=20
CVE-2010-4253 =
=20
=
=20
A heap based buffer overflow has been discovered with unknown impact.=
=20
=
=20
CVE-2010-4643 =
=20
=
=20
A vulnerability has been discovered in the way OpenOffice.org =
=20
handles TGA graphics which can be tricked by a specially crafted =
=20
TGA file that could cause the program to crash due to a heap-based =
=20
buffer overflow with unknown impact. =
=20
For the lenny-backports distribution the problems have been fixed in
version 1:3.2.1-11+squeeze2~bpo50+1. =
=20
For the stable distribution (lenny), these problems have been fixed in
version 1:2.4.1-1+lenny11.
For the upcoming stable version (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:3.2.1-11+squeeze2.
For the experimental distribution, these problems have been fixed in
LibreOffice version 1:3.3.0~rc3-1.
Upgrade instructions
- --------------------
If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.debian.org/Instructions>
We recommend to pin (in /etc/apt/preferences) the backports repository to
200 so that new versions of installed backports will be installed
automatically.
Package: *
Pin: release a=3Dlenny-backports
Pin-Priority: 200
Gr=C3=BC=C3=9Fe/Regards,
Rene
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJNQdGlAAoJEAqgRXHQPj5wEjgP/0ipv+P3IXG4vwE863TAWXbB
TJ3/lV+O1AAnzT9BQ/O03g8laz7NguC74wr/qQRB9saq1j6bgGiKQLdd3kobuV0r
mR8rx9rRRTXvb2MIJUg55Ki/ElL8cnuecsMQbwk92GceMA4Gx2GEKvF0I0XF31M8
E/VDPz0T9IqbUBhVsq7ZqvLps/2hpm5Oya90hHlHjnlsiX+a/XUcuOfNnd4oPDzt
lUfT4P2DyvL+LoNjNMp90Qme4Ajldt0cxxlmRPfgX73uTTGuCSR5F9hqARBPabbe
m/kCjytsEpvQYZI2RkAWnyx0PInbuFZHA6c6w8b1AA7QuXP6lcJIDKJUhdBnz4RD
PQvasENadBELLKNcrE/rctsSQK/IJK3058q26slW/bpru0bb9ABSNJH4lBqBVQG1
owVgkC4D5GYm1A/SnorGGK1NQ/oEJ/7hROCPEhL43+IGUOSIIUJRyRRr0VCwWBa3
+elirAZM97iu+m4Z0eIvaJlDR5oZNWhrs6d0PpI17Gsj6jUCC4Y1kI2+sQeldrk2
eNNoZrSJoN6dPltIsJkKqg9xhXdjNSjUc4NoEL9qlN4WNmZyPDvWZL4R8w6uQ8Bl
8qR6S3Gp3Qv5uDXeQLFxqBs5cSZ19Oi3NscNWlR3qwmQVmE5/RetT5GYHNwEoBVD
W7XnsKdQNwjX+v22q69d
=3DhFIO
-----END PGP SIGNATURE-----
Reply to: