Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
NameMDVSA-2011:027First vendor Publication2011-02-14
VendorMandrivaLast vendor Modification2011-02-14
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score9.3Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities were discovered and corrected in OpenOffice.org:

Multiple directory traversal vulnerabilities allow remote attackers to overwrite arbitrary files via a .. (dot dot) in an entry in an XSLT JAR filter description file, an Extension (aka OXT) file, or unspecified other JAR or ZIP files (CVE-2010-3450).

Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed tables in an RTF document (CVE-2010-3451).

Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted tags in an RTF document (CVE-2010-3452).

The WW8ListManager::WW8ListManager function in oowriter does not properly handle an unspecified number of list levels in user-defined list styles in WW8 data in a Microsoft Word document, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .DOC file that triggers an out-of-bounds write (CVE-2010-3453).

Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write (CVE-2010-3454).

soffice places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3689).

Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file in an ODF or Microsoft Office document, as demonstrated by a PowerPoint (aka PPT) document (CVE-2010-4253).

Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TGA file in an ODF or Microsoft Office document (CVE-2010-4643).

OpenOffice.org packages have been updated in order to fix these issues. Additionally openoffice.org-voikko packages that require OpenOffice.org are also being provided and voikko package is upgraded from 2.0 to 2.2.1 version in MES5.1.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:027

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-399Resource Management Errors
CWE-264Permissions, Privileges, and Access Controls
CWE-189Numeric Errors (CWE/SANS Top 25)
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21625
 
Oval ID: oval:org.mitre.oval:def:21625
Title: RHSA-2011:0183: openoffice.org security and bug fix update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): RHSA-2011:0183-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 107
Platform(s): Red Hat Enterprise Linux 6
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21381
 
Oval ID: oval:org.mitre.oval:def:21381
Title: RHSA-2011:0182: openoffice.org security update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): RHSA-2011:0182-01
CESA-2011:0182
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 107
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13739
 
Oval ID: oval:org.mitre.oval:def:13739
Title: USN-1056-1 -- openoffice.org vulnerabilities
Description: Charlie Miller discovered several heap overflows in PPT processing. If a user or automated system were tricked into opening a specially crafted PPT document, a remote attacker could execute arbitrary code with user privileges. Ubuntu 10.10 was not affected. Marc Schoenefeld discovered that directory traversal was not correctly handled in XSLT, OXT, JAR, or ZIP files. If a user or automated system were tricked into opening a specially crafted document, a remote attacker overwrite arbitrary files, possibly leading to arbitrary code execution with user privileges. Dan Rosenberg discovered multiple heap overflows in RTF and DOC processing. If a user or automated system were tricked into opening a specially crafted RTF or DOC document, a remote attacker could execute arbitrary code with user privileges. Dmitri Gribenko discovered that OpenOffice.org did not correctly handle LD_LIBRARY_PATH in various tools. If a local attacker tricked a user or automated system into using OpenOffice.org from an attacker-controlled directory, they could execute arbitrary code with user privileges. Marc Schoenefeld discovered that OpenOffice.org did not correctly process PNG images. If a user or automated system were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. It was discovered that OpenOffice.org did not correctly process TGA images. If a user or automated system were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges
Family: unix Class: patch
Reference(s): USN-1056-1
CVE-2010-2935
CVE-2010-2936
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12858
 
Oval ID: oval:org.mitre.oval:def:12858
Title: DSA-2151-1 openoffice.org -- several
Description: Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research, Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact.
Family: unix Class: patch
Reference(s): DSA-2151-1
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23509
 
Oval ID: oval:org.mitre.oval:def:23509
Title: ELSA-2011:0183: openoffice.org security and bug fix update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): ELSA-2011:0183-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 37
Platform(s): Oracle Linux 6
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23069
 
Oval ID: oval:org.mitre.oval:def:23069
Title: ELSA-2011:0182: openoffice.org security update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): ELSA-2011:0182-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 37
Platform(s): Oracle Linux 5
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28209
 
Oval ID: oval:org.mitre.oval:def:28209
Title: ELSA-2011-0183 -- openoffice.org security and bug fix update (important)
Description: [3.2.1-19.3.0.1.el6_0.5] - Replaced RedHat colors with Oracle colors, OOO_VENDOR with Oracle Corp., and the filename redhat.soc with oracle.soc in specfile bug#10911 [1:3.2.1-19.6.5] - Related: rhbz#671087 set right file permissions [1:3.2.1-19.6.4] - Resolves: rhbz#671087 file locks are not created with gvfs-sftp volumes with OpenOffice.org [1:3.2.1-19.6.3] - Resolves: rhbz#642200 openoffice.org various flaws - CVE-2010-4643 heap based buffer overflow when parsing TGA files [1:3.2.1-19.6.2] - Resolves: rhbz#642200 openoffice.org various flaws - CVE-2010-4253 heap based buffer overflow in PPT import [1:3.2.1-19.6.1] - Resolves: rhbz#642200 openoffice.org various flaws - CVE-2010-3450 directory traversal flaws in handling of XSLT jar filter descriptions and OXT extension files - CVE-2010-3451 Array index error by insecure parsing of broken rtf tables - CVE-2010-3452 Integer signedness error (crash) by processing certain RTF tags - CVE-2010-3453 Heap-based buffer overflow by processing *.doc files with WW8 list styles with specially-crafted count of list levels - CVE-2010-3454 Array index error by scanning document typography information of certain *.doc files - CVE-2010-3689 soffice insecure LD_LIBRARY_PATH setting
Family: unix Class: patch
Reference(s): ELSA-2011-0183
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 2
Platform(s): Oracle Linux 6
Product(s): openoffice.org
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application18

OpenVAS Exploits

DateDescription
2012-07-30Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 x86_64
File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 x86_64
File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_x86_64.nasl
2012-07-09Name : RedHat Update for openoffice.org RHSA-2011:0183-01
File : nvt/gb_RHSA-2011_0183-01_openoffice.org.nasl
2011-08-09Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 i386
File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_i386.nasl
2011-03-07Name : Debian Security Advisory DSA 2151-1 (openoffice.org)
File : nvt/deb_2151_1.nasl
2011-03-05Name : FreeBSD Ports: openoffice.org
File : nvt/freebsd_openoffice.org0.nasl
2011-02-18Name : Fedora Update for openoffice.org FEDORA-2011-0837
File : nvt/gb_fedora_2011_0837_openoffice.org_fc13.nasl
2011-02-16Name : Mandriva Update for openoffice.org MDVSA-2011:027 (openoffice.org)
File : nvt/gb_mandriva_MDVSA_2011_027.nasl
2011-02-11Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 i386
File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_i386.nasl
2011-02-05Name : OpenOffice.org 'soffice' Directory Traversal Vulnerability (Win)
File : nvt/secpod_openoffice_soffice_dir_traversal_vuln_win.nasl
2011-02-04Name : Ubuntu Update for openoffice.org vulnerabilities USN-1056-1
File : nvt/gb_ubuntu_USN_1056_1.nasl
2011-01-31Name : RedHat Update for openoffice.org and openoffice.org2 RHSA-2011:0181-01
File : nvt/gb_RHSA-2011_0181-01_openoffice.org_and_openoffice.org2.nasl
2010-08-30Name : OpenOffice.org Buffer Overflow and Directory Traversal Vulnerabilities (Win)
File : nvt/secpod_openoffice_mult_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
70718OpenOffice.org (OOo) Impress Crafted TGA File Handling Overflow
70717OpenOffice.org (OOo) Impress Crafted PNG File Handling Overflow
70716OpenOffice.org (OOo) soffice LD_LIBRARY_PATH Zero-length Directory Name Path ...
70715OpenOffice.org (OOo) oowriter WW8DopTypography::ReadFromMem Function Crafted ...
70714OpenOffice.org (OOo) oowriter WW8ListManager::WW8ListManager Function Crafted...
70713OpenOffice.org (OOo) oowriter RTF Document Crafted Tags Use-after-free Overflow
70712OpenOffice.org (OOo) oowriter RTF Document Malformed Table Use-after-free Ove...
70711OpenOffice.org (OOo) Multiple File Type Traversal Arbitrary File Overwrite

Nessus® Vulnerability Scanner

DateDescription
2014-09-01Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_3_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0183.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_and_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-05-09Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote openSUSE host is missing a security update.
File : suse_11_2_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO
2011-03-21Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libreoffice331-7365.nasl - Type : ACT_GATHER_INFO
2011-03-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libreoffice331-110318.nasl - Type : ACT_GATHER_INFO
2011-02-17Name : The remote Fedora host is missing a security update.
File : fedora_2011-0837.nasl - Type : ACT_GATHER_INFO
2011-02-15Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-027.nasl - Type : ACT_GATHER_INFO
2011-02-14Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_f2b43905354511e08e810022190034c0.nasl - Type : ACT_GATHER_INFO
2011-02-06Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2011-02-03Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1056-1.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0183.nasl - Type : ACT_GATHER_INFO
2011-01-27Name : The remote Windows host has a program affected by multiple vulnerabilities.
File : openoffice_33.nasl - Type : ACT_GATHER_INFO
2011-01-27Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2151.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:42:04
  • Multiple Updates