ISS X-Force Database: openoffice-wmf-emf-bo(31257): OpenOffice.org and StarOffice/Office Suite WMF and EMF buffer overflow

OpenOffice.org and StarOffice/Office Suite WMF and EMF buffer overflow

openoffice-wmf-emf-bo (31257)

High Risk

Description:

OpenOffice.org and StarOffice/Office Suite are vulnerable to multiple heap-based buffer overflows, caused by improper bounds checking of META_ESCAPE, EMR_POLYPOLYGON, and EMR_POLYPOLYGON16 records in WMF and EMF files. By creating a specially-crafted WMF or EMF file and persuading a victim to open the file, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.

Platforms Affected:

Canonical, Ubuntu 5.10
Canonical, Ubuntu 6.06 LTS
Debian, Debian Linux 3.1
Gentoo, Linux
MandrakeSoft, Mandrake Linux 2007 X86_64
MandrakeSoft, Mandrake Linux 2007
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
Novell, Linux Desktop 9
Novell, OpenSUSE 10.2
OpenOffice, OpenOffice.org 1.1.5
OpenOffice, OpenOffice.org 2.0.4 and prior
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 Desktop
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 4 AS
Sun, StarOffice 6.0
Sun, StarOffice 7.0
Sun, StarOffice 8.0
SuSE, SLE SDK 10
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 10.1
SuSE, SuSE Linux 9.3
SuSE, SuSE SLED 10

Remedy:

Refer to OpenOffice.org Issue 70042 for patch information. See References.

For Red Hat Linux:
Refer to RHSA-2007:0001-3 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2007:001 for patch, upgrade or suggested workaround information. See References.

For StarOffice and StarSuite::
Refer to Sun Alert ID: 102735 for patch or upgrade information. See References.

For Debian GNU/Linux:
Refer to DSA-1246-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-406-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200701-07 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux:
Refer to Mandriva Linux Security Advisory MDKSA-2007:006 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

Full-Disclosure Mailing List, Wed Jan 03 2007 - 21:41:27 CST, OpenOffice.org issued a WMF code execution fix at http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0077.html.
NGSSoftware Advisory January 4th, 2007, High Risk Vulnerabilities in the StarOffice Suite at http://www.ngssoftware.com/advisories/high-risk-vulnerabilities-in-the-staroffice-suite/.
OpenOffice.org Issue 70042, catch out out bounds wmf/emf values at http://www.openoffice.org/issues/show_bug.cgi?id=70042.
OpenOffice.org Web site, OpenOffice.org at http://www.openoffice.org/index.html.
Sun Alert ID: 102735, Security Vulnerability With StarOffice/StarSuite Versions 6, 7 and 8 Related to the '.wmf' File Format at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102735-1.
ASA-2007-016: OpenOffice.org security update (RHSA-2007-0001)
ASA-2007-035: Security Vulnerability With StarOffice/StarSuite Versions 6 7 and 8 Related to the .wmf File Format (SUN 102735)
CVE-2006-5870: Multiple integer overflows in OpenOffice.org (OOo) 2.0.4 and earlier, and possibly other versions before 2.1.0; and StarOffice 6 through 8; allow user-assisted remote attackers to execute arbitrary code via a crafted (a) WMF or (b) EMF file that triggers heap-based buffer overflows in (1) wmf/winwmf.cxx, during processing of META_ESCAPE records; and wmf/enhwmf.cxx, during processing of (2) EMR_POLYPOLYGON and (3) EMR_POLYPOLYGON16 records.
DSA-1246: openoffice.org -- buffer overflow
GLSA-200701-07: OpenOffice.org: EMF/WMF file handling vulnerabilities
MDKSA-2007:006: Updated OpenOffice.org packages fix WMF vulnerability
RHSA-2007-0001: Important: openoffice.org security update
SA23600: StarOffice WMF/EMF Processing Buffer Overflow Vulnerabilities
SA23612: OpenOffice WMF/EMF Processing Buffer Overflow Vulnerabilities
SECTRACK ID: 1017466: OpenOffice.org Office Suite Integer Overflow in Processing WMF/EMF Files Lets Remote Users Execute Arbitrary Code
SUSE-SA:2007:001: OpenOffice_org WMF buffer overflows
US-CERT VU#220288: OpenOffice fails to properly process WMF and EMF files
USN-406-1: OpenOffice.org vulnerability
VUPEN/ADV-2007-0031: OpenOffice ReadEnhWMF() and ReadRecordParams() Buffer Overflow Vulnerabilities
VUPEN/ADV-2007-0059: Sun StarOffice/StarSuite WMF/EMF File Handling Client-Side Buffer Overflow Vulnerabilities

Reported:

Jan 03, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page