[gentoo-announce] [ GLSA 200712-25 ] OpenOffice.org: User-assisted arbitrary code execution - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200712-25 ] OpenOffice.org: User-assisted arbitrary code execution
Date:	Sun, 30 Dec 2007 18:45:41
Message-Id:	`4777E3D9.2080702@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200712-25

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: OpenOffice.org: User-assisted arbitrary code execution

12

      Date: December 30, 2007

13

      Bugs: #200771, #201799

14

        ID: 200712-25

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

An unspecified vulnerability has been reported in OpenOffice.org,

22

possibly allowing for the execution of arbitrary code.

23

24

Background

25

==========

26

27

OpenOffice.org is an open source office productivity suite, including

28

word processing, spreadsheet, presentation, drawing, data charting,

29

formula editing, and file conversion facilities.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package                    /  Vulnerable  /            Unaffected

36

    -------------------------------------------------------------------

37

  1  app-office/openoffice           < 2.3.1                  >= 2.3.1

38

  2  app-office/openoffice-bin       < 2.3.1                  >= 2.3.1

39

  3  dev-db/hsqldb                  < 1.8.0.9               >= 1.8.0.9

40

    -------------------------------------------------------------------

41

     3 affected packages on all of their supported architectures.

42

    -------------------------------------------------------------------

43

44

Description

45

===========

46

47

The HSQLDB engine, as used in Openoffice.org, does not properly enforce

48

restrictions to SQL statements.

49

50

Impact

51

======

52

53

A remote attacker could entice a user to open a specially crafted

54

document, possibly resulting in the remote execution of arbitrary Java

55

code with the privileges of the user running OpenOffice.org.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All OpenOffice.org users should upgrade to the latest version:

66

67

 # emerge --sync

68

 # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.1"

69

70

All OpenOffice.org binary users should upgrade to the latest version:

71

72

 # emerge --sync

73

 # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.1"

74

75

All HSQLDB users should upgrade to the latest version:

76

77

 # emerge --sync

78

 # emerge --ask --oneshot --verbose ">=dev-db/hsqldb-1.8.0.9"

79

80

References

81

==========

82

83

  [ 1 ] CVE-2007-4575

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

  http://security.gentoo.org/glsa/glsa-200712-25.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

http://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2007 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

113

-----BEGIN PGP SIGNATURE-----

114

Version: GnuPG v1.4.7 (GNU/Linux)

115

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

116

117

iD8DBQFHd+PZuhJ+ozIKI5gRAnw3AKCTR9OoJrvosyOIWsPR75YN/tIE1QCgmLpL

118

hRdVKFeTyqcR6PIKgWqWExw=

119

=6HQd

120

-----END PGP SIGNATURE-----

121

--

122

gentoo-announce@g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200712-25
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: OpenOffice.org: User-assisted arbitrary code execution
12	Date: December 30, 2007
13	Bugs: #200771, #201799
14	ID: 200712-25
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	An unspecified vulnerability has been reported in OpenOffice.org,
22	possibly allowing for the execution of arbitrary code.
23
24	Background
25	==========
26
27	OpenOffice.org is an open source office productivity suite, including
28	word processing, spreadsheet, presentation, drawing, data charting,
29	formula editing, and file conversion facilities.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 app-office/openoffice < 2.3.1 >= 2.3.1
38	2 app-office/openoffice-bin < 2.3.1 >= 2.3.1
39	3 dev-db/hsqldb < 1.8.0.9 >= 1.8.0.9
40	-------------------------------------------------------------------
41	3 affected packages on all of their supported architectures.
42	-------------------------------------------------------------------
43
44	Description
45	===========
46
47	The HSQLDB engine, as used in Openoffice.org, does not properly enforce
48	restrictions to SQL statements.
49
50	Impact
51	======
52
53	A remote attacker could entice a user to open a specially crafted
54	document, possibly resulting in the remote execution of arbitrary Java
55	code with the privileges of the user running OpenOffice.org.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All OpenOffice.org users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.1"
69
70	All OpenOffice.org binary users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.1"
74
75	All HSQLDB users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=dev-db/hsqldb-1.8.0.9"
79
80	References
81	==========
82
83	[ 1 ] CVE-2007-4575
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-200712-25.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	http://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2007 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5
113	-----BEGIN PGP SIGNATURE-----
114	Version: GnuPG v1.4.7 (GNU/Linux)
115	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
116
117	iD8DBQFHd+PZuhJ+ozIKI5gRAnw3AKCTR9OoJrvosyOIWsPR75YN/tIE1QCgmLpL
118	hRdVKFeTyqcR6PIKgWqWExw=
119	=6HQd
120	-----END PGP SIGNATURE-----
121	--
122	gentoo-announce@g.o mailing list

Gentoo Archives: gentoo-announce