Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Summary | |
|---|---|
| Title | OpenOffice.org vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | USN-1056-1 | First vendor Publication | 2011-02-02 |
| Vendor | Ubuntu | Last vendor Modification | 2011-02-02 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: Ubuntu 9.10: Ubuntu 10.04 LTS: Ubuntu 10.10: In general, a standard system update will make all the necessary changes. Details follow: Charlie Miller discovered several heap overflows in PPT processing. If a user or automated system were tricked into opening a specially crafted PPT document, a remote attacker could execute arbitrary code with user privileges. Ubuntu 10.10 was not affected. (CVE-2010-2935, CVE-2010-2936) Marc Schoenefeld discovered that directory traversal was not correctly handled in XSLT, OXT, JAR, or ZIP files. If a user or automated system were tricked into opening a specially crafted document, a remote attacker overwrite arbitrary files, possibly leading to arbitrary code execution with user privileges. (CVE-2010-3450) Dan Rosenberg discovered multiple heap overflows in RTF and DOC processing. If a user or automated system were tricked into opening a specially crafted RTF or DOC document, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454) Dmitri Gribenko discovered that OpenOffice.org did not correctly handle LD_LIBRARY_PATH in various tools. If a local attacker tricked a user or automated system into using OpenOffice.org from an attacker-controlled directory, they could execute arbitrary code with user privileges. (CVE-2010-3689) Marc Schoenefeld discovered that OpenOffice.org did not correctly process PNG images. If a user or automated system were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-4253) It was discovered that OpenOffice.org did not correctly process TGA images. If a user or automated system were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-4643) |
Original Source
| Url : http://www.ubuntu.com/usn/USN-1056-1 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 30 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
| 20 % | CWE-416 | Use After Free |
| 20 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
| 20 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
| 10 % | CWE-193 | Off-by-one Error |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12063 | |||
| Oval ID: | oval:org.mitre.oval:def:12063 | ||
| Title: | Integer truncation error in OpenOffice.org version 3.2.1 | ||
| Description: | simpress.bin in the Impress module in OpenOffice.org (OOo) 2.x and 3.x before 3.3 does not properly handle integer values associated with dictionary property items, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PowerPoint document that triggers a heap-based buffer overflow, related to an "integer truncation error." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-2935 | Version: | 9 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 7 | Product(s): | OpenOffice.org |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:12144 | |||
| Oval ID: | oval:org.mitre.oval:def:12144 | ||
| Title: | Heap-based buffer overflow in OpenOffice.org version 3.2.1 | ||
| Description: | Integer overflow in simpress.bin in the Impress module in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted polygons in a PowerPoint document that triggers a heap-based buffer overflow. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-2936 | Version: | 9 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows Server 2008 | Product(s): | OpenOffice.org |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:12858 | |||
| Oval ID: | oval:org.mitre.oval:def:12858 | ||
| Title: | DSA-2151-1 openoffice.org -- several | ||
| Description: | Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research, Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2151-1 CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | openoffice.org |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-07-30 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 x86_64 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_x86_64.nasl |
| 2012-07-30 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 x86_64 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_x86_64.nasl |
| 2012-07-09 | Name : RedHat Update for openoffice.org RHSA-2011:0183-01 File : nvt/gb_RHSA-2011_0183-01_openoffice.org.nasl |
| 2011-08-09 | Name : CentOS Update for openoffice.org-base CESA-2011:0182 centos5 i386 File : nvt/gb_CESA-2011_0182_openoffice.org-base_centos5_i386.nasl |
| 2011-03-07 | Name : Debian Security Advisory DSA 2151-1 (openoffice.org) File : nvt/deb_2151_1.nasl |
| 2011-03-05 | Name : FreeBSD Ports: openoffice.org File : nvt/freebsd_openoffice.org0.nasl |
| 2011-02-18 | Name : Fedora Update for openoffice.org FEDORA-2011-0837 File : nvt/gb_fedora_2011_0837_openoffice.org_fc13.nasl |
| 2011-02-16 | Name : Mandriva Update for openoffice.org MDVSA-2011:027 (openoffice.org) File : nvt/gb_mandriva_MDVSA_2011_027.nasl |
| 2011-02-11 | Name : CentOS Update for openoffice.org CESA-2011:0181 centos4 i386 File : nvt/gb_CESA-2011_0181_openoffice.org_centos4_i386.nasl |
| 2011-02-05 | Name : OpenOffice.org 'soffice' Directory Traversal Vulnerability (Win) File : nvt/secpod_openoffice_soffice_dir_traversal_vuln_win.nasl |
| 2011-02-04 | Name : Ubuntu Update for openoffice.org vulnerabilities USN-1056-1 File : nvt/gb_ubuntu_USN_1056_1.nasl |
| 2011-01-31 | Name : RedHat Update for openoffice.org and openoffice.org2 RHSA-2011:0181-01 File : nvt/gb_RHSA-2011_0181-01_openoffice.org_and_openoffice.org2.nasl |
| 2010-11-16 | Name : Mandriva Update for openoffice.org MDVSA-2010:221 (openoffice.org) File : nvt/gb_mandriva_MDVSA_2010_221.nasl |
| 2010-10-10 | Name : Debian Security Advisory DSA 2099-1 (openoffice.org) File : nvt/deb_2099_1.nasl |
| 2010-08-30 | Name : RedHat Update for openoffice.org RHSA-2010:0643-01 File : nvt/gb_RHSA-2010_0643-01_openoffice.org.nasl |
| 2010-08-30 | Name : CentOS Update for openoffice.org CESA-2010:0643 centos4 i386 File : nvt/gb_CESA-2010_0643_openoffice.org_centos4_i386.nasl |
| 2010-08-30 | Name : CentOS Update for openoffice.org CESA-2010:0643 centos3 i386 File : nvt/gb_CESA-2010_0643_openoffice.org_centos3_i386.nasl |
| 2010-08-30 | Name : OpenOffice.org Buffer Overflow and Directory Traversal Vulnerabilities (Win) File : nvt/secpod_openoffice_mult_vuln_win.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 70718 | OpenOffice.org (OOo) Impress Crafted TGA File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted TGA file, a context-dependent attacker can potentially execute arbitrary code. |
| 70717 | OpenOffice.org (OOo) Impress Crafted PNG File Handling Overflow OpenOffice.org is prone to an overflow condition. The Impress component fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted PNG file, a context-dependent attacker can potentially execute arbitrary code. |
| 70716 | OpenOffice.org (OOo) soffice LD_LIBRARY_PATH Zero-length Directory Name Path ... OpenOffice.org is prone to a flaw in the way it handles a a zero-length directory name in the LD_LIBRARY_PATH. The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. |
| 70715 | OpenOffice.org (OOo) oowriter WW8DopTypography::ReadFromMem Function Crafted ... OpenOffice.org is prone to an overflow condition. The 'WW8DopTypography::ReadFromMem' function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With specially crafted typography information in a crafted .DOC file which triggers an out-of-bound write, a context-dependent attacker can potentially execute arbitrary code. |
| 70714 | OpenOffice.org (OOo) oowriter WW8ListManager::WW8ListManager Function Crafted... OpenOffice.org is prone to an overflow condition. The WW8ListManager::WW8ListManager function in oowriter fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted .DOC file containing certain WW8 data which triggers an out-of-bounds write, a context-dependent attacker can potentially execute arbitrary code. |
| 70713 | OpenOffice.org (OOo) oowriter RTF Document Crafted Tags Use-after-free Overflow OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF file, a context-dependent attacker can potentially execute arbitrary code. |
| 70712 | OpenOffice.org (OOo) oowriter RTF Document Malformed Table Use-after-free Ove... OpenOffice.org is prone to an overflow condition. The suite tool, oowriter, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted RTF document which triggers an out-of-bounds memory read, a context-dependent attacker can potentially execute arbitrary code. |
| 70711 | OpenOffice.org (OOo) Multiple File Type Traversal Arbitrary File Overwrite OpenOffice.org contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via an XSLT JAR filter description file, an Extension (.oxt) file, or possibly other JAR or ZIP files. This directory traversal attack would allow the attacker to overwrite arbitrary files. |
| 67041 | OpenOffice.org (OOo) Impress Multiple Unspecified Overflows |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-09-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_OpenOffice_org-draw-100906.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0643.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100823_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110128_openoffice_org_and_openoffice_org2_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100823_openoffice_org_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100823_openoffice_org_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
| 2011-05-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
| 2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_OpenOffice_org-110330.nasl - Type : ACT_GATHER_INFO |
| 2011-03-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libreoffice331-7365.nasl - Type : ACT_GATHER_INFO |
| 2011-03-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libreoffice331-110318.nasl - Type : ACT_GATHER_INFO |
| 2011-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0837.nasl - Type : ACT_GATHER_INFO |
| 2011-02-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-027.nasl - Type : ACT_GATHER_INFO |
| 2011-02-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f2b43905354511e08e810022190034c0.nasl - Type : ACT_GATHER_INFO |
| 2011-02-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
| 2011-02-03 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1056-1.nasl - Type : ACT_GATHER_INFO |
| 2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0183.nasl - Type : ACT_GATHER_INFO |
| 2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0182.nasl - Type : ACT_GATHER_INFO |
| 2011-01-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0181.nasl - Type : ACT_GATHER_INFO |
| 2011-01-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2151.nasl - Type : ACT_GATHER_INFO |
| 2011-01-27 | Name : The remote Windows host has a program affected by multiple vulnerabilities. File : openoffice_33.nasl - Type : ACT_GATHER_INFO |
| 2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_OpenOffice_org-7148.nasl - Type : ACT_GATHER_INFO |
| 2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_OpenOffice_org-100907.nasl - Type : ACT_GATHER_INFO |
| 2010-11-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-221.nasl - Type : ACT_GATHER_INFO |
| 2010-10-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_OpenOffice_org-draw-100906.nasl - Type : ACT_GATHER_INFO |
| 2010-10-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_OpenOffice_org-draw-100906.nasl - Type : ACT_GATHER_INFO |
| 2010-08-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2099.nasl - Type : ACT_GATHER_INFO |
| 2010-08-26 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0643.nasl - Type : ACT_GATHER_INFO |
| 2010-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0643.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:58:15 |
|
