http://blog.gmane.org/gmane.comp.openoffice.announce.security hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.openoffice.announce.security/17 <pre>CVE-2010-3689 Insecure LD_LIBRARY_PATH usage in OpenOffice.org shell scripts * Synopsis: The OpenOffice.org start script and other shell scripts expand the LD_LIBRARY_PATH in a insecure way * State: Resolved 1. Impact The OpenOffice.org start script and other shell scripts expand the LD_LIBRARY_PATH in a way that the current directory might be searched for libraries before /lib and /usr/lib, which can have security implications. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 Note: OpenOffice.org 2 is not impacted by this issue. Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, make sure that LD_LIBRARY_PATH is not empty before running soffice or other OpenOffice.org shell scripts. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, Dmitri Gribenko. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:10:58 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/16 <pre>CVE-2010-3451 CVE-2010-3452 Security Vulnerability in OpenOffice.org related to RTF document processing * Synopsis: A security vulnerability in OpenOffice.org, related to RTF document processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to RTF document processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted RTF document provided by the remote user. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, Dan Rosenberg of Virtual Security Research. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:10:48 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/15 <pre>CVE-2010-3453 CVE-2010-3454 Security Vulnerability in OpenOffice.org related to Word document processing * Synopsis: A security vulnerability in OpenOffice.org, related to Word document processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to Word document processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted Word document provided by the remote user. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, Dan Rosenberg of Virtual Security Research. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:10:53 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/14 <pre>CVE-2010-4008 CVE-2010-4494 Possible Security Vulnerability in OpenOffice.org resulting from 3rd party library LIBXML2 * Synopsis: OpenOffice.org comes with a vulnerable version of 3rd party library LIBXML2 * State: Resolved 1. Impact OpenOffice.org comes with a vulnerable version of 3rd party library LIBXML2, but it's unclear whether or not OpenOffice.org actually is impacted by these issues. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround None. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:11:08 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/13 <pre>CVE-2010-3702 CVE-2010-3704 Security Vulnerability in OpenOffice.org's PDF Import extension resulting from 3rd party library XPDF * Synopsis: A security vulnerability in the 3rd party library XPDF, related to PDF document processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in the 3rd party library XPDF (only used in the PDF import extension), related to PDF document processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted PDF document provided by the remote user. 2. Affected releases * All versions of OpenOffice.org's PDF Import extension prior to version 1.0.4 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: PDF Import Extension 1.0.4 Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:11:03 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/12 <pre>CVE-2010-2935 CVE-2010-2936 Security Vulnerability in OpenOffice.org related to PowerPoint document processing * Synopsis: A security vulnerability in OpenOffice.org, related to PowerPoint document processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to PowerPoint document processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted PowerPoint document provided by the remote user. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:10:31 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/11 <pre>CVE-2010-4643 Security Vulnerability in OpenOffice.org related to TGA file processing * Synopsis: A security vulnerability in OpenOffice.org, related to TGA file processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to TGA file processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted TGA file provided by the remote user. Note: TGA files could be embedded in many different document types, including all kind of ODF and MS Office documents. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, babi working with Beyond Security's SecuriTeam Secure Disclosure program. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:11:18 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/10 <pre>CVE-2010-4253 Security Vulnerability in OpenOffice.org related to PNG file processing * Synopsis: A security vulnerability in OpenOffice.org, related to PNG file processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to PNG file processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted PNG file provided by the remote user. Note: PNG files could be embedded in many different document types, including all kind of ODF and MS Office documents. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, Marc Schoenefeld from Red Hat Security Response Team. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:11:13 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/9 <pre>CVE-2010-3450 Security Vulnerability in OpenOffice.org related to Extensions and filter package files * Synopsis: A directory traversal vulnerability in OpenOffice.org, related to zip/jar package extraction, may lead to overwriting files and even to arbitrary code execution. * State: Resolved 1. Impact A directory traversal vulnerability in OpenOffice.org, related to zip/jar package extraction, may lead to overwriting files when relative file locations point to locations outside the root of the destination folder. This way important files could be overwritten, including executables. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.3 * All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load extensions or filter package files from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.3 6. Comments OpenOffice.org acknowledges with thanks, Marc Schoenefeld from Red Hat Security Response Team. Reference: http://www.openoffice.org/security/bulletin.html </pre> Malte Timmermann 2011-01-28T11:10:42 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/8 <pre>Synopsis CVE-2010-0395: Security vulnerability in OpenOffice.org related to python scripting 1. Impact A security vulnerability in OpenOffice.org related to python scripting might lead to unexpected code execution when using the built-in scripting IDE for exploring the python code. 2. Affected releases All versions of OpenOffice.org 3 prior to version 3.2.1 All versions of OpenOffice.org 2 Note: Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround As a workaround, do not inspect python code from non-trustworthy documents with the built-in scripting IDE and its dialogs. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2.1 </pre> Florian Effenberger 2010-06-04T10:19:25 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/7 <pre>Synopsis CVE-2009-3555: OpenOffice.org 2 and 3 may be affected by the TLS/SSL Renegotiation Issue in 3rd Party Libraries 1. Impact OpenOffice.org 2 and 3 ship with 3rd party libraries affected by the TLS/SSL renegotiation issue documented in CVE-2009-3555. 2. Affected releases All versions of OpenOffice.org 3 prior to version 3.2.1 All versions of OpenOffice.org 2 Note: OpenOffice.org 1.1 is not impacted by this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround None. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2.1 </pre> Florian Effenberger 2010-06-04T08:51:57 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/6 <pre>CVE-2009-3301, CVE-2009-3302: Security Vulnerability in OpenOffice.org related to MS-Word document processing * Synopsis: A security vulnerability in OpenOffice.org, related to MS-Word document processing, may lead to arbitrary code execution. * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to Word document processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted Word document provided by the remote user. 2. Affected releases All versions of OpenOffice.org prior to version 3.2 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 6. Comments OpenOffice.org acknowledges with thanks, Nicolas Joly of VUPEN Vulnerability Research Team. </pre> Florian Effenberger 2010-02-12T11:04:00 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/5 <pre>CVE-2009-2950: Security Vulnerability in OpenOffice.org related to GIF file processing * Synopsis: Security Vulnerability in OpenOffice.org related to GIF file processing may lead to arbitrary code execution * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to GIF file processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted GIF file provided by the remote user. GIF files can also be embedded in different kind of documents, including documents in the OpenDocument Format (ODF), the default format used by OpenOffice.org. 2. Affected releases All versions of OpenOffice.org prior to version 3.2 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 6. Comments OpenOffice.org acknowledges with thanks, Frank Reißner and Sebastian Apelt from siberas. </pre> Florian Effenberger 2010-02-12T11:03:27 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/4 <pre>CVE-2009-2949: Security Vulnerability in OpenOffice.org related to XPM file processing * Synopsis: Security Vulnerability in OpenOffice.org related to XPM file processing may lead to arbitrary code execution * State: Resolved 1. Impact A security vulnerability in OpenOffice.org, related to XPM file processing, may allow a remote unprivileged user to execute arbitrary code on the system with the privileges of a local user running OpenOffice.org, if the local user opens a crafted XPM file provided by the remote user. XPM files can also be embedded in different kind of documents, including documents in the OpenDocument Format (ODF), the default format used by OpenOffice.org. 2. Affected releases All versions of OpenOffice.org prior to version 3.2 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround To workaround the described issue, do not load documents from untrusted sources. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 6. Comments OpenOffice.org acknowledges with thanks Sebastian Apelt from siberas. </pre> Florian Effenberger 2010-02-12T11:03:05 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/3 <pre>CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime * Synopsis: OpenOffice.org 3 for Windows includes a vulnerable version of the MSVC Runtime, see CVE-2009-2493 for details. * State: Resolved 1. Impact OpenOffice.org 3 for Windows ships with a vulnerable version of the MSVC Runtime, CVE-2009-2493 for details. OpenOffice.org is not affected by the security issue, but centrally installs the vulnerable MSVC Runtime if it didn't exist on the system before. The vulnerable version should be updated automatically by the monthly Windows updates, but newer versions of OpenOffice.org also come with the updated MSVC Runtime. 2. Affected releases * All versions of OpenOffice.org 3 for Windows prior to version 3.2 Note: OpenOffice.org 2 and OpenOffice.org 1.1 are not impacted by this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround None. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 </pre> Florian Effenberger 2010-02-12T11:02:35 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/2 <pre>CVE-2009-0217: Security Vulnerability in OpenOffice.org resulting from 3rd party library * Synopsis: OpenOffice.org 2 and 3 might be affected by XML signature HMAC truncation authentication bypass issue in 3rd party library libxmlsec * State: Resolved 1. Impact OpenOffice.org 2 and 3 ship with 3rd party libraries affected by the XML signature HMAC truncation authentication bypass issue documented in CVE-2009-0217. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.2 * All versions of OpenOffice.org 2 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround None. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 </pre> Florian Effenberger 2010-02-12T11:02:08 http://permalink.gmane.org/gmane.comp.openoffice.announce.security/1 <pre>CVE-2006-4339: Security Vulnerability in OpenOffice.org resulting from 3rd party libraries * Synopsis: OpenOffice.org 2 and 3 might fail to handle signatures properly due to an issue in 3rd party library libxml2. * State: Resolved 1. Impact OpenOffice.org 2 and 3 might fail to handle signatures properly due to the use of a 3rd party library known for having the issue described in CVE-2006-4339. 2. Affected releases * All versions of OpenOffice.org 3 prior to version 3.2 * All versions of OpenOffice.org 2 Note: OpenOffice.org 1.1 is not impacted by this issue. 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred. 4. Relief/Workaround None. 5. Resolution This issue is addressed in the following release: OpenOffice.org 3.2 </pre> Florian Effenberger 2010-02-12T11:01:36 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.openoffice.announce.security