Thread-topic: High Risk Vulnerability in OpenOffice
> -----Original Message-----
> From: NGSSoftware Insight Security Research
> [mailto:nisr@xxxxxxxxxxxxxxx]
> Sent: Wednesday, April 04, 2007 8:32 PM
> To: VulnWatch; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: High Risk Vulnerability in OpenOffice
>
> John Heasman of NGSSoftware has discovered a high risk vulnerability
> in the handling of StarCalc documents within OpenOffice.
>
>
> The vulnerability affects all versions of OpenOffice prior to 2.2. If
> an attacker can coax a user into opening a specially crafted StarCalc
> document then the attacker can execute arbitrary code in the security
> context of their victim.
>
>
>
> Details
> *******
>
> 1) sc\source\filter\starcalc\scflt.cxx
>
>
> USHORT NoteLen;
> rStream >> NoteLen;
> if (NoteLen != 0)
> {
> sal_Char Note[4096];
> rStream.Read(Note, NoteLen);
> Note[NoteLen] = 0;
> String aText( SC10TOSTRING(Note));
> ScPostIt aNote(aText, pDoc);
> pDoc->SetNote(Col, static_cast<SCROW> (Row), Tab, aNote );
> }
>
>
> There is a stack overflow when copying more than 4096 characters into
> the Note buffer.
>
>
>
> Solution
> ********
>
> This issue has now been resolved; OpenOffice users are
> strongly recommended
> to install OpenOffice 2.2, apply OpenOffice patch 1.1.5 or obtain the
> latest OpenOffice packages appropriate to their distribution.
>
> Further information on this issue may be found at:
>
>
>
>
>
> NGSSoftware Insight Security Research
>
>
>
> +44(0)208 401 0070
>
> --
> E-MAIL DISCLAIMER
>
> The information contained in this email and any subsequent
> correspondence is private, is solely for the intended recipient(s) and
> may contain confidential or privileged information. For those
> other than
> the intended recipient(s), any disclosure, copying,
> distribution, or any
> other action taken, or omitted to be taken, in reliance on such
> information is prohibited and may be unlawful. If you are not the
> intended recipient and have received this message in error, please
> inform the sender and delete this mail and any attachments.
>
> The views expressed in this email do not necessarily reflect
> NGS policy.
> NGS accepts no liability or responsibility for any onward transmission
> or use of emails and attachments having left the NGS domain.
>
> NGS and NGSSoftware are trading names of Next Generation Security
> Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
> 4BF with Company Number 04225835 and VAT Number 783096402
>
