__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenOffice.org Buffer Overflow Vulnerability [Red Hat Security Advisory RHSA-2005:375-07] April 26, 2005 18:00 GMT Number P-192 [REVISED 09 May 2005] ______________________________________________________________________________ PROBLEM: A security vulnerability was discovered in OpenOffice.org DOC file processor. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. PLATFORM: Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3 and v. 4) SGI ProPack 3 Service Pack 5 for SGI Altix family of systems DAMAGE: An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. SOLUTION: Apply available security updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker could create a carefully ASSESSMENT: crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-192.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-375.html ADDITIONAL LINK: SGI Security Advisory Number 20050501-01-U ftp://patches.sgi.com/support/free/security/advisories/20050501-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0941 ______________________________________________________________________________ REVISION HISTORY 05/09/2005 - added a link to SGI Security Advisory 20050501-01-U that provides updated SGI ProPack 3 Service Pack 5 RPMs. [***** Start Red Hat Security Advisory RHSA-2005:375-07 *****] Important: openoffice.org security update Advisory: RHSA-2005:375-07 Type: Security Advisory Issued on: 2005-04-25 Last updated on: 2005-04-25 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-0941 Details Updated openoffice.org packages are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 3) SRPMS: openoffice.org-1.1.2-24.2.0.EL3.src.rpm 28b62078a887294f683d0ef33c4fb7d8 IA-32: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 x86_64: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 Red Hat Desktop (v. 4) SRPMS: openoffice.org-1.1.2-24.6.0.EL4.src.rpm 782df44227035bdae27f4d5b82548244 IA-32: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-kde-1.1.2-24.6.0.EL4.i386.rpm 93e50067e6aa036fb4356846b61d730e openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 x86_64: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 Red Hat Enterprise Linux AS (v. 3) SRPMS: openoffice.org-1.1.2-24.2.0.EL3.src.rpm 28b62078a887294f683d0ef33c4fb7d8 IA-32: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 x86_64: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 Red Hat Enterprise Linux AS (v. 4) SRPMS: openoffice.org-1.1.2-24.6.0.EL4.src.rpm 782df44227035bdae27f4d5b82548244 IA-32: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-kde-1.1.2-24.6.0.EL4.i386.rpm 93e50067e6aa036fb4356846b61d730e openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 PPC: openoffice.org-1.1.2-24.6.0.EL4.ppc.rpm 9f9b16a868bac28eea5ae035a41da178 openoffice.org-i18n-1.1.2-24.6.0.EL4.ppc.rpm 0bb909a3756f7256d5016cb4e8135906 openoffice.org-kde-1.1.2-24.6.0.EL4.ppc.rpm 92b028f02db5c193274486119c9ec763 openoffice.org-libs-1.1.2-24.6.0.EL4.ppc.rpm 02e37584c158d993c83d72dfbdc4f265 x86_64: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 Red Hat Enterprise Linux ES (v. 3) SRPMS: openoffice.org-1.1.2-24.2.0.EL3.src.rpm 28b62078a887294f683d0ef33c4fb7d8 IA-32: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 x86_64: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 Red Hat Enterprise Linux ES (v. 4) SRPMS: openoffice.org-1.1.2-24.6.0.EL4.src.rpm 782df44227035bdae27f4d5b82548244 IA-32: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-kde-1.1.2-24.6.0.EL4.i386.rpm 93e50067e6aa036fb4356846b61d730e openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 x86_64: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 Red Hat Enterprise Linux WS (v. 3) SRPMS: openoffice.org-1.1.2-24.2.0.EL3.src.rpm 28b62078a887294f683d0ef33c4fb7d8 IA-32: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 x86_64: openoffice.org-1.1.2-24.2.0.EL3.i386.rpm 3fb7f2cc17fdbac1690731032438fa2a openoffice.org-i18n-1.1.2-24.2.0.EL3.i386.rpm 2e5336c39975c611ffa23145d9985dbb openoffice.org-libs-1.1.2-24.2.0.EL3.i386.rpm afa55ff288e8fa052fada08cc0a56235 Red Hat Enterprise Linux WS (v. 4) SRPMS: openoffice.org-1.1.2-24.6.0.EL4.src.rpm 782df44227035bdae27f4d5b82548244 IA-32: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-kde-1.1.2-24.6.0.EL4.i386.rpm 93e50067e6aa036fb4356846b61d730e openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 x86_64: openoffice.org-1.1.2-24.6.0.EL4.i386.rpm 700fc3a6036a9206f31bd7d9ac7db80c openoffice.org-i18n-1.1.2-24.6.0.EL4.i386.rpm 9dc5d0f31383ea144f216c7bfe18efa2 openoffice.org-libs-1.1.2-24.6.0.EL4.i386.rpm fb4760c12f39bdea783d35ddecdf7ff7 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 154540 - CAN-2005-0941 openoffice.org heap overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0941 http://www.openoffice.org/issues/show_bug.cgi?id=46388 [***** End Red Hat Security Advisory RHSA-2005:375-07 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-182: Oracle Critical Patch Update - April 2005 P-183: The Sun ONE and JES Directory Server Contain a Buffer Overflow involving LDAP P-184: libexif P-185: Apple Mac OS X v10.3.9 Security Update P-186: Possible Network Port Theft in Solaris P-187: Sun Java System Web Proxy Server Vulnerability P-188: Security Vulnerabilities Addressed in Red Hat Kernel Update P-189: RealNetworks Releases Security Updates P-190: Firefox Security Bugs P-191: KDE Image File Format Reader Vulnerabilities