9.3 - MDVSA-2008:056

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Updated gnumeric packages fix vulnerability

Informations
Name	MDVSA-2008:056	First vendor Publication	2008-02-29
Vendor	Mandriva	Last vendor Modification	2008-02-29
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability was found in the excel_read_HLINK function in the Microsoft Excel plugin in Gnumeric prior to version 1.8.1 that would allow for the execution of arbitrary code via a crafted XLS file containing XLS HLINK opcodes.

The updated packages have been patched to correct this issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2008:056

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-189	Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17671

Oval ID:	oval:org.mitre.oval:def:17671
Title:	USN-604-1 -- gnumeric vulnerability
Description:	Thilo Pfennig and Morten Welinder discovered that the XLS spreadsheet handling code in Gnumeric did not correctly calculate needed memory sizes.
Family:	unix	Class:	patch
Reference(s):	USN-604-1 CVE-2008-0668	Version:	7
Platform(s):	Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10	Product(s):	gnumeric
Definition Synopsis:
Release section Ubuntu 6.06 is installed AND gnumeric DPKG is earlier than 1.6.3-0ubuntu4.1 AND Release section Ubuntu 6.10 is installed AND gnumeric DPKG is earlier than 1.7.0-1ubuntu4.1 AND Release section Ubuntu 7.04 is installed AND gnumeric DPKG is earlier than 1.7.8-0ubuntu1.1 AND Release section Ubuntu 7.10 is installed AND gnumeric DPKG is earlier than 1.7.11-1ubuntu3.1

Definition Id: oval:org.mitre.oval:def:20233

Oval ID:	oval:org.mitre.oval:def:20233
Title:	DSA-1546-1 gnumeric
Description:	Thilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet.
Family:	unix	Class:	patch
Reference(s):	DSA-1546-1 CVE-2008-0668	Version:	5
Platform(s):	Debian GNU/Linux 4.0	Product(s):	gnumeric
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND gnumeric DPKG is earlier than 0:1.6.3-5.1+etch1

Definition Id: oval:org.mitre.oval:def:8059

Oval ID:	oval:org.mitre.oval:def:8059
Title:	DSA-1546 gnumeric -- integer overflow
Description:	Thilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet.
Family:	unix	Class:	patch
Reference(s):	DSA-1546 CVE-2008-0668	Version:	3
Platform(s):	Debian GNU/Linux 4.0	Product(s):	gnumeric
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. Architecture section Architecture independent section Installed architecture is all AND Packages section gnumeric-common is earlier than 1.6.3-5.1+etch1 AND gnumeric-doc is earlier than 1.6.3-5.1+etch1 AND gnumeric is earlier than 1.6.3-5.1+etch1 AND gnumeric-plugins-extra is earlier than 1.6.3-5.1+etch1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Gnome Gnumeric cpe:2.3:a:gnome:gnumeric:1.7.91:::::::* cpe:2.3:a:gnome:gnumeric::::::::	2

OpenVAS Exploits

Date	Description
2009-04-09	Name : Mandriva Update for gnumeric MDVSA-2008:056 (gnumeric) File : nvt/gb_mandriva_MDVSA_2008_056.nasl
2009-03-23	Name : Ubuntu Update for gnumeric vulnerability USN-604-1 File : nvt/gb_ubuntu_USN_604_1.nasl
2009-02-16	Name : Fedora Update for gnumeric FEDORA-2008-1313 File : nvt/gb_fedora_2008_1313_gnumeric_fc7.nasl
2009-02-16	Name : Fedora Update for gnumeric FEDORA-2008-1403 File : nvt/gb_fedora_2008_1403_gnumeric_fc8.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200802-05 (gnumeric) File : nvt/glsa_200802_05.nasl
2008-04-21	Name : Debian Security Advisory DSA 1546-1 (gnumeric) File : nvt/deb_1546_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
42835	Gnumeric plugins/excel/ms-excel-read.c excel_read_HLINK Function XLS HLINK Op...

Nessus® Vulnerability Scanner

Date	Description
2009-04-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-056.nasl - Type : ACT_GATHER_INFO
2008-07-23	Name : The remote openSUSE host is missing a security update. File : suse_gnumeric-5393.nasl - Type : ACT_GATHER_INFO
2008-04-25	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-604-1.nasl - Type : ACT_GATHER_INFO
2008-04-17	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1546.nasl - Type : ACT_GATHER_INFO
2008-02-14	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200802-05.nasl - Type : ACT_GATHER_INFO
2008-02-11	Name : The remote Fedora host is missing a security update. File : fedora_2008-1313.nasl - Type : ACT_GATHER_INFO
2008-02-11	Name : The remote Fedora host is missing a security update. File : fedora_2008-1403.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:39:15	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	2
osvdb(s)	1
Openvas Exploit(s)	6
Nessus® Exploit(s)	7

	Related
9.3	CVE-2008-0668
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)