U radu programskog paketa openoffice.org otkrivene su sigurnosne ranjivosti koje udaljenim napadačima omogućuju DoS napad ili pokretanje proizvoljnog programskog koda.
Paket:
openoffice.org 1.x
Operacijski sustavi:
Ubuntu Linux 10.04
Kritičnost:
6.9
Problem:
cjelobrojno prepisivanje, pogreška u programskoj komponenti, preljev međuspremnika
Ranjivosti su posljedica prepisivanje cjelobrojne varijable u biblioteci "vclmi.dll" i komponenti "filter/source/msfilter/msdffimp.cxx", nepravilnosti u komponenti "oowriter" te prepisivanja spremnika na stogu u Lotus Word Pro filteru.
Posljedica:
Napadači ih mogu iskoristiti za izvođenje napada uskraćivanjem usluge ili izvršavanje proizvoljnog programskog koda.
Rješenje:
Korisnicima se savjetuje instalacija novih programskih rješenja.
==========================================================================
Ubuntu Security Notice USN-1496-1
July 02, 2012
openoffice.org vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
OpenOffice.org could be made to crash or potentially run programs as your
login if it opened a specially crafted file.
Software Description:
- openoffice.org: Office productivity suite
Details:
A stack-based buffer overflow was discovered in the Lotus Word Pro import
filter in OpenOffice.org. The default compiler options for affected
releases should reduce the vulnerability to a denial of service.
(CVE-2011-2685)
Huzaifa Sidhpurwala discovered that OpenOffice.org could be made to crash
if it opened a specially crafted Word document. (CVE-2011-2713)
Integer overflows were discovered in the graphics loading code of several
different image types. If a user were tricked into opening a specially
crafted file, an attacker could cause OpenOffice.org to crash or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2012-1149)
Sven Jacobi discovered an integer overflow when processing Escher graphics
records. If a user were tricked into opening a specially crafted PowerPoint
file, an attacker could cause OpenOffice.org to crash or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2012-2334)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
openoffice.org-core 1:3.2.0-7ubuntu4.3
After a standard system update you need to restart OpenOffice.org to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1496-1
CVE-2011-2685, CVE-2011-2713, CVE-2012-1149, CVE-2012-2334
Package Information:
https://launchpad.net/ubuntu/+source/openoffice.org/1:3.2.0-7ubuntu4.3
Posljednje sigurnosne preporuke