Executive Summary

Informations
NameMDVSA-2011:027First vendor Publication2011-02-14
VendorMandrivaLast vendor Modification2011-02-14
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score9.3Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities were discovered and corrected in OpenOffice.org:

Multiple directory traversal vulnerabilities allow remote attackers to overwrite arbitrary files via a .. (dot dot) in an entry in an XSLT JAR filter description file, an Extension (aka OXT) file, or unspecified other JAR or ZIP files (CVE-2010-3450).

Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed tables in an RTF document (CVE-2010-3451).

Use-after-free vulnerability in oowriter allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted tags in an RTF document (CVE-2010-3452).

The WW8ListManager::WW8ListManager function in oowriter does not properly handle an unspecified number of list levels in user-defined list styles in WW8 data in a Microsoft Word document, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .DOC file that triggers an out-of-bounds write (CVE-2010-3453).

Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write (CVE-2010-3454).

soffice places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3689).

Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file in an ODF or Microsoft Office document, as demonstrated by a PowerPoint (aka PPT) document (CVE-2010-4253).

Heap-based buffer overflow in Impress allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TGA file in an ODF or Microsoft Office document (CVE-2010-4643).

OpenOffice.org packages have been updated in order to fix these issues. Additionally openoffice.org-voikko packages that require OpenOffice.org are also being provided and voikko package is upgraded from 2.0 to 2.2.1 version in MES5.1.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:027

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-399Resource Management Errors
CWE-264Permissions, Privileges, and Access Controls
CWE-189Numeric Errors
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21625
 
Oval ID: oval:org.mitre.oval:def:21625
Title: RHSA-2011:0183: openoffice.org security and bug fix update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): RHSA-2011:0183-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 107
Platform(s): Red Hat Enterprise Linux 6
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21381
 
Oval ID: oval:org.mitre.oval:def:21381
Title: RHSA-2011:0182: openoffice.org security update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): RHSA-2011:0182-01
CESA-2011:0182
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 107
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): openoffice.org
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23509
 
Oval ID: oval:org.mitre.oval:def:23509
Title: ELSA-2011:0183: openoffice.org security and bug fix update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): ELSA-2011:0183-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 34
Platform(s): Oracle Linux 6
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23069
 
Oval ID: oval:org.mitre.oval:def:23069
Title: ELSA-2011:0182: openoffice.org security update (Important)
Description: Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file in an ODF or Microsoft Office document.
Family: unix Class: patch
Reference(s): ELSA-2011:0182-01
CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643
Version: 34
Platform(s): Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application18

OpenVAS Exploits

DateDescription
2012-07-30Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 x86_64
File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 x86_64
File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_x86_64.nasl
2012-07-09Name : RedHat Update for openoffice.org RHSA-2011:0183-01
File : nvt/gb_RHSA-2011_0183-01_openoffice.org.nasl
2011-08-09Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 i386
File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_i386.nasl
2011-03-07Name : Debian Security Advisory DSA 2151-1 (openoffice.org)
File : nvt/deb_2151_1.nasl
2011-03-05Name : FreeBSD Ports: openoffice.org
File : nvt/freebsd_openoffice.org0.nasl
2011-02-18Name : Fedora Update for openoffice.org FEDORA-2011-0837
File : nvt/gb_fedora_2011_0837_openoffice.org_fc13.nasl
2011-02-16Name : Mandriva Update for openoffice.org MDVSA-2011:027 (openoffice.org)
File : nvt/gb_mandriva_MDVSA_2011_027.nasl
2011-02-11Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 i386
File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_i386.nasl
2011-02-05Name : OpenOffice.org 'soffice' Directory Traversal Vulnerability (Win)
File : nvt/secpod_openoffice_soffice_dir_traversal_vuln_win.nasl
2011-02-04Name : Ubuntu Update for openoffice.org vulnerabilities USN-1056-1
File : nvt/gb_ubuntu_USN_1056_1.nasl
2011-01-31Name : RedHat Update for openoffice.org and openoffice.org2 RHSA-2011:0181-01
File : nvt/gb_RHSA-2011_0181-01_openoffice.org_and_openoffice.org2.nasl
2010-08-30Name : OpenOffice.org Buffer Overflow and Directory Traversal Vulnerabilities (Win)
File : nvt/secpod_openoffice_mult_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
70718OpenOffice.org (OOo) Impress Crafted TGA File Handling Overflow
70717OpenOffice.org (OOo) Impress Crafted PNG File Handling Overflow
70716OpenOffice.org (OOo) soffice LD_LIBRARY_PATH Zero-length Directory Name Path ...
70715OpenOffice.org (OOo) oowriter WW8DopTypography::ReadFromMem Function Crafted ...
70714OpenOffice.org (OOo) oowriter WW8ListManager::WW8ListManager Function Crafted...
70713OpenOffice.org (OOo) oowriter RTF Document Crafted Tags Use-after-free Overflow
70712OpenOffice.org (OOo) oowriter RTF Document Malformed Table Use-after-free Ove...
70711OpenOffice.org (OOo) Multiple File Type Traversal Arbitrary File Overwrite

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0183.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_and_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110128_openoffice_org_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-05-09Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for OpenOffice_org
File : suse_11_2_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO
2011-03-21Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libreoffice331-7365.nasl - Type : ACT_GATHER_INFO
2011-03-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libreoffice331-110318.nasl - Type : ACT_GATHER_INFO
2011-02-17Name : The remote Fedora host is missing a security update.
File : fedora_2011-0837.nasl - Type : ACT_GATHER_INFO
2011-02-15Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-027.nasl - Type : ACT_GATHER_INFO
2011-02-14Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_f2b43905354511e08e810022190034c0.nasl - Type : ACT_GATHER_INFO
2011-02-06Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2011-02-03Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1056-1.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO
2011-01-31Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0183.nasl - Type : ACT_GATHER_INFO
2011-01-27Name : The remote Windows host has a program affected by multiple vulnerabilities.
File : openoffice_33.nasl - Type : ACT_GATHER_INFO
2011-01-27Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2151.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:42:04
  • Multiple Updates