Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: High Risk Vulnerability in OpenOffice



> -----Original Message-----
> From: NGSSoftware Insight Security Research 
> [mailto:nisr@xxxxxxxxxxxxxxx] 
> Sent: Wednesday, April 04, 2007 8:32 PM
> To: VulnWatch; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: High Risk Vulnerability in OpenOffice
> 
> John Heasman of NGSSoftware has discovered a high risk vulnerability
> in the handling of StarCalc documents within OpenOffice.
> 
> 
> The vulnerability affects all versions of OpenOffice prior to 2.2. If
> an attacker can coax a user into opening a specially crafted StarCalc
> document then the attacker can execute arbitrary code in the security
> context of their victim.
> 
> 
> 
> Details
> *******
> 
> 1) sc\source\filter\starcalc\scflt.cxx
> 
> 
> USHORT NoteLen;
> rStream >> NoteLen;
> if (NoteLen != 0)
> {
>  sal_Char Note[4096];
>  rStream.Read(Note, NoteLen);
>  Note[NoteLen] = 0;
>         String aText( SC10TOSTRING(Note));
>         ScPostIt aNote(aText, pDoc);
>  pDoc->SetNote(Col, static_cast<SCROW> (Row), Tab, aNote );
> }
> 
> 
> There is a stack overflow when copying more than 4096 characters into
> the Note buffer.
> 
> 
> 
> Solution
> ********
> 
> This issue has now been resolved; OpenOffice users are 
> strongly recommended
> to install OpenOffice 2.2, apply OpenOffice patch 1.1.5 or obtain the
> latest OpenOffice packages appropriate to their distribution.
> 
> Further information on this issue may be found at:
> 
> http://www.openoffice.org/security/CVE-2007-0238
> 
> 
> 
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com
> http://www.databasesecurity.com/
> http://www.nextgenss.com/
> +44(0)208 401 0070
> 
> --
> E-MAIL DISCLAIMER
> 
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those 
> other than
> the intended recipient(s), any disclosure, copying, 
> distribution, or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
> 
> The views expressed in this email do not necessarily reflect 
> NGS policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
> 
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402
> 



 




Copyright © Lexa Software, 1996-2009.