List Info

Thread: OpenOffice.org: User-assisted arbitrary code execution
OpenOffice.org: User-assisted arbitrary code execution
country flaguser name
France		 2007-12-30 12:30:49 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
Gentoo Linux Security Advisory                          
GLSA 200712-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -
                                            http://security.gentoo.or
g/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -

  Severity: Normal
     Title: OpenOffice.org: User-assisted arbitrary code
execution
      Date: December 30, 2007
      Bugs: #200771, #201799
        ID: 200712-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -

Synopsis
========

An unspecified vulnerability has been reported in
OpenOffice.org,
possibly allowing for the execution of arbitrary code.

Background
==========

OpenOffice.org is an open source office productivity suite,
including
word processing, spreadsheet, presentation, drawing, data
charting,
formula editing, and file conversion facilities.

Affected packages
=================

   
------------------------------------------------------------
-------
     Package                    /  Vulnerable  /           
Unaffected
   
------------------------------------------------------------
-------
  1  app-office/openoffice           < 2.3.1             
    >= 2.3.1
  2  app-office/openoffice-bin       < 2.3.1             
    >= 2.3.1
  3  dev-db/hsqldb                  < 1.8.0.9            
  >= 1.8.0.9
   
------------------------------------------------------------
-------
     3 affected packages on all of their supported
architectures.
   
------------------------------------------------------------
-------

Description
===========

The HSQLDB engine, as used in Openoffice.org, does not
properly enforce
restrictions to SQL statements.

Impact
======

A remote attacker could entice a user to open a specially
crafted
document, possibly resulting in the remote execution of
arbitrary Java
code with the privileges of the user running
OpenOffice.org.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenOffice.org users should upgrade to the latest
version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
">=app-office/openoffice-2.3.1"

All OpenOffice.org binary users should upgrade to the latest
version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
">=app-office/openoffice-bin-2.3.1"

All HSQLDB users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
">=dev-db/hsqldb-1.8.0.9"

References
==========

  [ 1 ] CVE-2007-4575
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-4575

Availability
============

This GLSA and any updates to it are available for viewing
at
the Gentoo Security Website:

  ht
tp://security.gentoo.org/glsa/glsa-200712-25.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring
the
confidentiality and security of our users machines is of
utmost
importance to us. Any security concerns should be addressed
to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://
creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFHd+PZuhJ+ozIKI5gRAnw3AKCTR9OoJrvosyOIWsPR75YN/tIE1QCg
mLpL
hRdVKFeTyqcR6PIKgWqWExw=
=6HQd
-----END PGP SIGNATURE-----
-- 
gentoo-announcegentoo.org mailing list
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )