Executive Summary
Summary | |
---|---|
Title | openoffice.org security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:0182 | First vendor Publication | 2011-01-28 |
Vendor | RedHat | Last vendor Modification | 2011-01-28 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated openoffice.org packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An array index error and an integer signedness error were found in the way OpenOffice.org parsed certain Rich Text Format (RTF) files. An attacker could use these flaws to create a specially-crafted RTF file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3451, CVE-2010-3452) A heap-based buffer overflow flaw and an array index error were found in the way OpenOffice.org parsed certain Microsoft Office Word documents. An attacker could use these flaws to create a specially-crafted Microsoft Office Word document that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3453, CVE-2010-3454) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain Microsoft Office PowerPoint files. An attacker could use this flaw to create a specially-crafted Microsoft Office PowerPoint file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4253) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain TARGA (Truevision TGA) files. An attacker could use this flaw to create a specially-crafted TARGA file. If a document containing this specially-crafted TARGA file was opened, or if a user tried to insert the file into an existing document, it would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4643) A directory traversal flaw was found in the way OpenOffice.org handled the installation of XSLT filter descriptions packaged in Java Archive (JAR) files, as well as the installation of OpenOffice.org Extension (.oxt) files. An attacker could use these flaws to create a specially-crafted XSLT filter description or extension file that, when opened, would cause the OpenOffice.org Extension Manager to modify files accessible to the user installing the JAR or extension file. (CVE-2010-3450) A flaw was found in the script that launches OpenOffice.org. In some situations, a "." character could be included in the LD_LIBRARY_PATH variable, allowing a local attacker to execute arbitrary code with the privileges of the user running OpenOffice.org, if that user ran OpenOffice.org from within an attacker-controlled directory. (CVE-2010-3689) Red Hat would like to thank OpenOffice.org for reporting the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, and CVE-2010-4643 issues; and Dmitri Gribenko for reporting the CVE-2010-3689 issue. Upstream acknowledges Dan Rosenberg of Virtual Security Research as the original reporter of the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 issues. All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 602324 - CVE-2010-3450 OpenOffice.org: directory traversal flaws in handling of XSLT jar filter descriptions and OXT extension files 640241 - CVE-2010-3452 OpenOffice.org: Integer signedness error (crash) by processing certain RTF tags 640950 - CVE-2010-3453 OpenOffice.org: Heap-based buffer overflow by processing *.doc files with WW8 list styles with specially-crafted count of list levels 640954 - CVE-2010-3454 OpenOffice.org: Array index error by scanning document typography information of certain *.doc files 641224 - CVE-2010-3689 OpenOffice.org: soffice insecure LD_LIBRARY_PATH setting 641282 - CVE-2010-3451 OpenOffice.org: Array index error by insecure parsing of broken rtf tables 658259 - CVE-2010-4253 OpenOffice.org: heap based buffer overflow in PPT import 667588 - CVE-2010-4643 OpenOffice.org: heap based buffer overflow when parsing TGA files |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-0182.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
38 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
25 % | CWE-416 | Use After Free |
25 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
12 % | CWE-193 | Off-by-one Error |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12858 | |||
Oval ID: | oval:org.mitre.oval:def:12858 | ||
Title: | DSA-2151-1 openoffice.org -- several | ||
Description: | Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research, Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2151-1 CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | openoffice.org |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 x86_64 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 x86_64 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_x86_64.nasl |
2012-07-09 | Name : RedHat Update for openoffice.org RHSA-2011:0183-01 File : nvt/gb_RHSA-2011_0183-01_openoffice.org.nasl |
2011-08-09 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 i386 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_i386.nasl |
2011-03-07 | Name : Debian Security Advisory DSA 2151-1 (openoffice.org) File : nvt/deb_2151_1.nasl |
2011-03-05 | Name : FreeBSD Ports: openoffice.org File : nvt/freebsd_openoffice.org0.nasl |
2011-02-18 | Name : Fedora Update for openoffice.org FEDORA-2011-0837 File : nvt/gb_fedora_2011_0837_openoffice.org_fc13.nasl |
2011-02-16 | Name : Mandriva Update for openoffice.org MDVSA-2011:027 (openoffice.org) File : nvt/gb_mandriva_MDVSA_2011_027.nasl |
2011-02-11 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 i386 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_i386.nasl |
2011-02-05 | Name : OpenOffice.org 'soffice' Directory Traversal Vulnerability (Win) File : nvt/secpod_openoffice_soffice_dir_traversal_vuln_win.nasl |
2011-02-04 | Name : Ubuntu Update for openoffice.org vulnerabilities USN-1056-1 File : nvt/gb_ubuntu_USN_1056_1.nasl |
2011-01-31 | Name : RedHat Update for openoffice.org and openoffice.org2 RHSA-2011:0181-01 File : nvt/gb_RHSA-2011_0181-01_openoffice.org_and_openoffice.org2.nasl |
2010-08-30 | Name : OpenOffice.org Buffer Overflow and Directory Traversal Vulnerabilities (Win) File : nvt/secpod_openoffice_mult_vuln_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70718 | OpenOffice.org (OOo) Impress Crafted TGA File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted TGA file, a context-dependent attacker can potentially execute arbitrary code. |
70717 | OpenOffice.org (OOo) Impress Crafted PNG File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted PNG file, a context-dependent attacker can potentially execute arbitrary code. |
70716 | OpenOffice.org (OOo) soffice LD_LIBRARY_PATH Zero-length Directory Name Path ... OpenOffice.org is prone to a flaw in the way it handles a a zero-length directory name in the LD_LIBRARY_PATH. The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. |
70715 | OpenOffice.org (OOo) oowriter WW8DopTypography::ReadFromMem Function Crafted ... OpenOffice.org is prone to an overflow condition. The 'WW8DopTypography::ReadFromMem' function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With specially crafted typography information in a crafted .DOC file which triggers an out-of-bound write, a context-dependent attacker can potentially execute arbitrary code. |
70714 | OpenOffice.org (OOo) oowriter WW8ListManager::WW8ListManager Function Crafted... OpenOffice.org is prone to an overflow condition. The WW8ListManager::WW8ListManager function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted .DOC file containing certain WW8 data which triggers an out-of-bounds write, a context-dependent attacker can potentially execute arbitrary code. |
70713 | OpenOffice.org (OOo) oowriter RTF Document Crafted Tags Use-after-free Overflow OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF file, a context-dependent attacker can potentially execute arbitrary code. |
70712 | OpenOffice.org (OOo) oowriter RTF Document Malformed Table Use-after-free Ove... OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF document which triggers an out-of-bounds memory read, a context-dependent attacker can potentially execute arbitrary code. |
70711 | OpenOffice.org (OOo) Multiple File Type Traversal Arbitrary File Overwrite OpenOffice.org contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via an XSLT JAR filter description file, an Extension (.oxt) file, or possibly other JAR or ZIP files. This directory traversal attack would allow the attacker to overwrite arbitrary files. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-09-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_and_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2011-05-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
2011-03-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libreoffice331-110318.nasl - Type : ACT_GATHER_INFO |
2011-03-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libreoffice331-7365.nasl - Type : ACT_GATHER_INFO |
2011-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0837.nasl - Type : ACT_GATHER_INFO |
2011-02-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-027.nasl - Type : ACT_GATHER_INFO |
2011-02-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f2b43905354511e08e810022190034c0.nasl - Type : ACT_GATHER_INFO |
2011-02-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2011-02-03 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1056-1.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote Windows host has a program affected by multiple vulnerabilities. File : openoffice_33.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2151.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:18 |
|