OpenOffice document heap-based buffer overflow
| openoffice-doc-heap-bo (20058) |  High Risk |
Description:
OpenOffice is vulnerable to a heap-based buffer overflow in the StgCompObjStream::Load() function. By creating a specially-crafted DOC file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Consequences:
Gain Access
Remedy:
Apply the fix for this vulnerability, available from the OpenOffice.org Issue 46388 Web page. See References.
For SUSE Linux:
Upgrade to the latest version of OpenOffice, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:025 for more information. See References.
x86
SUSE Linux 9.3: 1.9.79-9.2 or later
SUSE Linux 9.2: 1.1.3-16.2 or later
SUSE Linux 9.1: 1.1.1-23.6 or later
SUSE Linux 9.0: 1.1-100 or later
SUSE Linux 8.2: 1.0.2-76 or later
For Conectiva Linux 10.0:
Upgrade to the latest version of ConectivaOffice (1.1.4 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:968. See References.
For Red Hat Linux:
Refer to RHSA-2005:375-07 for patch, upgrade, or suggested workaround information. See References.
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-04-13 for patch, upgrade, or suggested workaround information. See References.
For Ubuntu Linux:
Refer to USN-121-1 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Mon Apr 11 2005 - 19:04:38 CDT : OpenOffice DOC document Heap Overflow.
- CIAC INFORMATION BULLETIN P-192: OpenOffice.org Buffer Overflow Vulnerability.
- Conectiva Linux Security Announcement CLSA-2005:968: Buffer overflow fix and a new upstream version.
- OpenOffice Issue list: Issue 46388 .
- OpenOffice.org Web site: OpenOffice.org.
- BID-13092: OpenOffice Malformed Document Remote Heap Overflow Vulnerability
- CVE-2005-0941: The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow.
- GLSA-200504-13: OpenOffice.Org: DOC document Heap Overflow
- MDKSA-2005:082: Updated OpenOffice.org packages fix heap overflow vulnerability
- RHSA-2005-375: openoffice.org security update
- SUSE-SA:2005:025: OpenOffice_org: heap overflow problem
- SUSE-SR:2005:021: SUSE Security Summary Report
- USN-121-1: OpenOffice.org vulnerability
Platforms Affected:
- Canonical Ubuntu 4.10
- Canonical Ubuntu 5.04
- Conectiva Linux 10
- Gentoo Linux
- MandrakeSoft Mandrake Linux 10.1 X86_64
- MandrakeSoft Mandrake Linux 10.1
- MandrakeSoft Mandrake Linux LE2005
- MandrakeSoft Mandrake Linux LE2005 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- Novell Linux Desktop 9
- OpenOffice OpenOffice.org 1.1.4
- OpenOffice OpenOffice.org 2.0 dev
- RedHat Enterprise Linux 3 Desktop
- RedHat Enterprise Linux 3 WS
- RedHat Enterprise Linux 3 ES
- RedHat Enterprise Linux 3 AS
- RedHat Enterprise Linux 4 ES
- RedHat Enterprise Linux 4 WS
- RedHat Enterprise Linux 4 Desktop
- RedHat Enterprise Linux 4 AS
- SUSE SuSE Linux 8.2
- SUSE SuSE Linux 9.0
- SUSE SuSE Linux 9.1
- SUSE SuSE Linux 9.2
- SUSE SuSE Linux 9.3
- SuSE SuSE Linux Desktop 1.0
Reported:
Mar 30, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net