ISS X-Force Database: openoffice-doc-heap-bo(20058): OpenOffice document heap-based buffer overflow

OpenOffice document heap-based buffer overflow

openoffice-doc-heap-bo (20058)

High Risk

Description:

OpenOffice is vulnerable to a heap-based buffer overflow in the StgCompObjStream::Load() function. By creating a specially-crafted DOC file, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Platforms Affected:

Canonical, Ubuntu 4.10
Canonical, Ubuntu 5.04
Conectiva, Linux 10
Gentoo, Linux
MandrakeSoft, Mandrake Linux 10.1 X86_64
MandrakeSoft, Mandrake Linux 10.1
MandrakeSoft, Mandrake Linux LE2005 X86_64
MandrakeSoft, Mandrake Linux LE2005
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
Novell, Linux Desktop 9
OpenOffice, OpenOffice.org 1.1.4
OpenOffice, OpenOffice.org 2.0dev
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 Desktop
RedHat, Enterprise Linux 4 AS
RedHat, Enterprise Linux 4 ES
SuSE, SuSE Linux 8.2
SuSE, SuSE Linux 9.0
SuSE, SuSE Linux 9.1
SuSE, SuSE Linux 9.2
SuSE, SuSE Linux 9.3
SuSE, SuSE Linux Desktop 1.0

Remedy:

Apply the fix for this vulnerability, available from the OpenOffice.org Issue 46388 Web page. See References.

For SUSE Linux:
Upgrade to the latest version of OpenOffice, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:025 for more information. See References.

x86
SUSE Linux 9.3: 1.9.79-9.2 or later
SUSE Linux 9.2: 1.1.3-16.2 or later
SUSE Linux 9.1: 1.1.1-23.6 or later
SUSE Linux 9.0: 1.1-100 or later
SUSE Linux 8.2: 1.0.2-76 or later

For Conectiva Linux 10.0:
Upgrade to the latest version of ConectivaOffice (1.1.4 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:968. See References.

For Red Hat Linux:
Refer to RHSA-2005:375-07 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-04-13 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-121-1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

BugTraq Mailing List, Mon Apr 11 2005 - 19:04:38 CDT , OpenOffice DOC document Heap Overflow at http://archives.neohapsis.com/archives/bugtraq/2005-04/0137.html.
CIAC INFORMATION BULLETIN P-192, OpenOffice.org Buffer Overflow Vulnerability at http://www.ciac.org/ciac/bulletins/p-192.shtml.
Conectiva Linux Security Announcement CLSA-2005:968, Buffer overflow fix and a new upstream version at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000968.
OpenOffice Issue list, Issue 46388 at http://www.openoffice.org/issues/show_bug.cgi?id=46388.
OpenOffice.org Web site, OpenOffice.org at http://www.openoffice.org/.
BID-13092: OpenOffice Malformed Document Remote Heap Overflow Vulnerability
CVE-2005-0941: The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow.
GLSA-200504-13: OpenOffice.Org: DOC document Heap Overflow
MDKSA-2005:082: Updated OpenOffice.org packages fix heap overflow vulnerability
RHSA-2005-375: openoffice.org security update
SUSE-SA:2005:025: OpenOffice_org: heap overflow problem
SUSE-SR:2005:021: SUSE Security Summary Report
USN-121-1: OpenOffice.org vulnerability

Reported:

Mar 30, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page