Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2011:027 | First vendor Publication | 2011-02-14 |
Vendor | Mandriva | Last vendor Modification | 2011-02-14 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities were discovered and corrected in OpenOffice.org: Multiple directory traversal vulnerabilities allow remote attackers to overwrite arbitrary files via a .. (dot dot) in an entry in an XSLT JAR filter description file, an Extension (aka OXT) file, or unspecified other JAR or ZIP files (CVE-2010-3450). Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed tables in an RTF document (CVE-2010-3451). Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted tags in an RTF document (CVE-2010-3452). The WW8ListManager::WW8ListManager function in oowriter does not properly handle an unspecified number of list levels in user-defined list styles in WW8 data in a Microsoft Word document, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .DOC file that triggers an out-of-bounds write (CVE-2010-3453). Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write (CVE-2010-3454). soffice places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3689). Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file in an ODF or Microsoft Office document, as demonstrated by a PowerPoint (aka PPT) document (CVE-2010-4253). Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TGA file in an ODF or Microsoft Office document (CVE-2010-4643). OpenOffice.org packages have been updated in order to fix these issues. Additionally openoffice.org-voikko packages that require OpenOffice.org are also being provided and voikko package is upgraded from 2.0 to 2.2.1 version in MES5.1. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:027 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
38 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
25 % | CWE-416 | Use After Free |
25 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
12 % | CWE-193 | Off-by-one Error |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12858 | |||
Oval ID: | oval:org.mitre.oval:def:12858 | ||
Title: | DSA-2151-1 openoffice.org -- several | ||
Description: | Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research, Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2151-1 CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | openoffice.org |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 x86_64 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 x86_64 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_x86_64.nasl |
2012-07-09 | Name : RedHat Update for openoffice.org RHSA-2011:0183-01 File : nvt/gb_RHSA-2011_0183-01_openoffice.org.nasl |
2011-08-09 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 i386 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_i386.nasl |
2011-03-07 | Name : Debian Security Advisory DSA 2151-1 (openoffice.org) File : nvt/deb_2151_1.nasl |
2011-03-05 | Name : FreeBSD Ports: openoffice.org File : nvt/freebsd_openoffice.org0.nasl |
2011-02-18 | Name : Fedora Update for openoffice.org FEDORA-2011-0837 File : nvt/gb_fedora_2011_0837_openoffice.org_fc13.nasl |
2011-02-16 | Name : Mandriva Update for openoffice.org MDVSA-2011:027 (openoffice.org) File : nvt/gb_mandriva_MDVSA_2011_027.nasl |
2011-02-11 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 i386 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_i386.nasl |
2011-02-05 | Name : OpenOffice.org 'soffice' Directory Traversal Vulnerability (Win) File : nvt/secpod_openoffice_soffice_dir_traversal_vuln_win.nasl |
2011-02-04 | Name : Ubuntu Update for openoffice.org vulnerabilities USN-1056-1 File : nvt/gb_ubuntu_USN_1056_1.nasl |
2011-01-31 | Name : RedHat Update for openoffice.org and openoffice.org2 RHSA-2011:0181-01 File : nvt/gb_RHSA-2011_0181-01_openoffice.org_and_openoffice.org2.nasl |
2010-08-30 | Name : OpenOffice.org Buffer Overflow and Directory Traversal Vulnerabilities (Win) File : nvt/secpod_openoffice_mult_vuln_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70718 | OpenOffice.org (OOo) Impress Crafted TGA File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted TGA file, a context-dependent attacker can potentially execute arbitrary code. |
70717 | OpenOffice.org (OOo) Impress Crafted PNG File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted PNG file, a context-dependent attacker can potentially execute arbitrary code. |
70716 | OpenOffice.org (OOo) soffice LD_LIBRARY_PATH Zero-length Directory Name Path ... OpenOffice.org is prone to a flaw in the way it handles a a zero-length directory name in the LD_LIBRARY_PATH. The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. |
70715 | OpenOffice.org (OOo) oowriter WW8DopTypography::ReadFromMem Function Crafted ... OpenOffice.org is prone to an overflow condition. The 'WW8DopTypography::ReadFromMem' function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With specially crafted typography information in a crafted .DOC file which triggers an out-of-bound write, a context-dependent attacker can potentially execute arbitrary code. |
70714 | OpenOffice.org (OOo) oowriter WW8ListManager::WW8ListManager Function Crafted... OpenOffice.org is prone to an overflow condition. The WW8ListManager::WW8ListManager function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted .DOC file containing certain WW8 data which triggers an out-of-bounds write, a context-dependent attacker can potentially execute arbitrary code. |
70713 | OpenOffice.org (OOo) oowriter RTF Document Crafted Tags Use-after-free Overflow OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF file, a context-dependent attacker can potentially execute arbitrary code. |
70712 | OpenOffice.org (OOo) oowriter RTF Document Malformed Table Use-after-free Ove... OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF document which triggers an out-of-bounds memory read, a context-dependent attacker can potentially execute arbitrary code. |
70711 | OpenOffice.org (OOo) Multiple File Type Traversal Arbitrary File Overwrite OpenOffice.org contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via an XSLT JAR filter description file, an Extension (.oxt) file, or possibly other JAR or ZIP files. This directory traversal attack would allow the attacker to overwrite arbitrary files. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-09-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_and_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2011-05-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
2011-03-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libreoffice331-110318.nasl - Type : ACT_GATHER_INFO |
2011-03-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libreoffice331-7365.nasl - Type : ACT_GATHER_INFO |
2011-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0837.nasl - Type : ACT_GATHER_INFO |
2011-02-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-027.nasl - Type : ACT_GATHER_INFO |
2011-02-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f2b43905354511e08e810022190034c0.nasl - Type : ACT_GATHER_INFO |
2011-02-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2011-02-03 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1056-1.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote Windows host has a program affected by multiple vulnerabilities. File : openoffice_33.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2151.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:42:04 |
|