SuSE: 2005-025: OpenOffice heap overflow problem Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: OpenOffice_org
Announcement-ID: SUSE-SA:2005:025
Date: Tue, 19 Apr 2005 13:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2, 9.3
SUSE Linux Desktop 1.0
Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE default package: yes
Cross References: CAN-2005-0941
Content of this advisory:
1) security vulnerability resolved:
heap overflow in MS Word DOC file handling
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
See SUSE Security Summary Report.
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This security update fixes a buffer overflow in OpenOffice_org
Microsoft Word document reader which could allow a remote attacker
sending a handcrafted .doc file to execute code as the user
opening the document in OpenOffice.
This is tracked by the Mitre CVE ID CAN-2005-0941.
WARNING: The updated packages are very large for distributions before
SUSE Linux 9.2 and 9.3.
The minimum download sizes for those are:
SUSE Linux Desktop 1: 47 MB
Novell Linux Desktop 9: 41 MB
SUSE Linux 8.2: 37 MB
SUSE Linux 9.0: 46 MB
SUSE Linux 9.1: 50 MB
SUSE Linux 9.2: 2.1 MB (using delta rpm)
SUSE Linux 9.3: 3.5 MB (using delta rpm)
2) solution/workaround
Install the updated packages.
A possible workaround is to not open .DOC files from untrusted
sources.
3) special instructions and notes
Restart OpenOffice after the update.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
b552f46f192457b6487b60dd7adab845
8b3defa6812104ac95aa3ecd198c08e5
63a174e1f5b177e8d785f14a21f5bec5
dcc5245c56657d6e20cc714b229390fd
bcb44ef1ef0688327e8b2304f2adfb76
3c166f9a421f0137134d750c869748cc
b0bfd04da81ec413eab5ab292ab4d4f4
974366c76fe393438d9a3ab6f73b5bdb
17d21ae9d96670aca17b116d5770d0fb
e20309f95c285e141087f5472f0a37f2
ca43a8e14d7662c41b8d60f1f526dca7
b19618fd2ff92431f48f4fc36273ae1a
a12adba49239a86e174457fb95f5c576
36057e0d7e178478a6b6eb119e7d56df
7d8d796f8bb9a8046b07af980f8adfc5
2160456066a9449daff5dcf26814882b
305e8470904629f0c8e3a278d2f0b1e9
ab4cbc8427c84110990bcea0f7185322
bbcef39ccd2be2b7b8611286427caf3c
784fa5fef330224ea92ee8c7573444a5
cf0a961f879a96af96b4b3464844f6e1
0e041750d71900ce52dd7e0192a65693
5f62da8fbdb0da4b63612a2b02a36dc1
dab43fb02881dd04a1f24b56a5f11f71
11be2bff9e95a2ae2b87cbb3ae763f46
c0a8ba848b1b266b0d13f7905fe234e6
3f267e1277041393fcd28cc4cee59cf7
05bb29569bfdf851ac2c4d268c58bead
SUSE Linux 9.2:
2293f4e4c6ab47b0614f7e9988273d6c
bb0f47a473f4262c2cdf8cd49e2564f9
7e2263e7703856b184cc8a76f799732a
32d6b6ee86e395c442654409f11e9c9c
dca243c3ad1747021b1f5c7074e1e3b7
39f68abc86e4a5e33d42957d8a37af01
20eddfbefd818c8d1cfe599898893c50
4068f98e7f40d66905e5a253a2470cba
0a4286d62466addf22bb2bba7ab0c309
a3effffec6221f5e1edda0da2502fa77
7bca5b49f4ecd97331efdd8b9d02704f
79eec2c6b39a24a80f2a2030167d327b
640b167beaedb0e400a9945fbdec3346
fec069d75bd3036d9181789e47d5ff11
2fae2a1136717f97eefb55eb86571099
0f170766b94adf4f0c86d2b251ef80b8
0b39736cdeab86262746d52f6ca6f4be
ba6a72c373198ff4509e9870cb16f253
7a443cc6cb4d6880ffb1e02fa3aa0ba7
dc6f63e7b9141838a46fa4738f038e58
eca5ce05d506b0aeda52c89f4558cecd
799d8c7f09c3459f90032d25be0f5525
01ebf77e4e283925a6506a24c3e8d865
aec3c6e8b4143d97f1b6d35bf1f3dc8a
8b074f282d1bb4d9883324f07ca5797e
0cd956b13b0bfa1b478f238426b61813
09586c7bc9801d9a4b7ab5c026d88880
101e72d1f892b22d585688aad67ed5a8
73dbea37ec2f089f0932956782e4c923
SUSE Linux 9.1:
acfc765af694e2dbad866400ff35baf1
0af9c4a72afa6e6fdde2b0bcc096666f
da472e7cea51097743762bc6a2608aa4
70fdd4f83e0f18b1895e142b4e8f0f41
23e05864cc3993ea28b414b9fb8c14ad
cd516d937d0f11b99f9b89950136eac6
74e823e5c1af46a94a1439ceca09bf08
04e1cf5845598f842cca8a142e963206
d23180d06e4ee6aa2d92a3b3d4ff9036
2d48b32b780c40ba6edf87f205252f6f
84eb506c11c687852d747e34ad58adb7
7fc4d93253f873a84d5dcf1be56ea02b
d317a379e5e8d0dbd5c2637ebffdb978
84b4466a0ad38e1bee97bd76de10a650
8dd0108842f786c5278413017c178bd8
f09448181bc7b7a4f0076694ec29f073
637c906b339a24e984a6ee080dc57f42
3b98ed06cb70895123b5bc9cbe8744b7
467c41efec48271d291cceb38709a2aa
a475fe4fb2a99341831fdc6da07497d0
ad03e64157d0c0ba9a31f2e3cc8c78f8
5efef74ffe625cf6e4f38b8738211a25
fee1d6e9f05d59b95561dbe192ae927f
1ce11a3e8ecec9b032e4c250c7b7dcd7
cbff62da371e49552ced339f9a5a014e
source rpm(s):
e30ccd2e95d5f985be7918185e5347e6
SUSE Linux 9.0:
2103fcc3a5de4724a96350b6c5aba23d
24ef98c1b908db39073a792959a412db
8b9b494f4ec8e0cad1a14c025fbe5025
a4f199cd7d077552b80b96fa8f573e8d
fa8bef6b96f4f44a5e65ba471b937c7c
182ab41d8b98cfcb25514d84f5426569
da512b6c56065b7d6537b0385fc89f90
7cd38f5e4381f64bd1cbf4c883b6cb6e
227616d6355d91b6a680837b546878bc
9f052173c82e73b578f9edfbad5a7649
b424833a10fad334502a0c73d1842d51
4a3706cd87d6938530d9bb7261eb7b2f
00212453e83c014a68d51945f08cc486
0da0e8b50393bccd6ed00aeaaef5809a
ecfa98395e093e3ab2acb80b04cd234d
6f50954b40c3d74c1cba1b1df920f25a
9c052a19385612f952aff029086f6877
ef3c9469080799b7ff1c40e8f54f72fe
f28d7b1b30b5bfd06a5d774e424de7d9
c0cbd660335c6418699993b1fb78a7e8
b4d926bc3e1eea6edfd453f645d2e3bb
0fe30e9116ef5df1e776be3322381d0a
3c9f01c4cb808238967c386a9bbf95f2
source rpm(s):
6ad8a3d82246b021cedcd23f4ce74f1a
SUSE Linux 8.2:
6b5f9f1b9bd7dad1d62619c46e471ee4
966b54c4cc0a7eca79386d3d7eed358d
f857a4c91b90de7b46d9700439fc3dc4
65706db98543bdcf84b8ff1ec3be93ca
c574794e58d89c56b9cab405ca1462a6
6a6eed7174ec918d4c7617728e0328c3
7428286d640ca1c4e0e8572acf1fa370
27fae82ea8f296265847e26e91ead421
e4e70c8843084cbc9707e1baf7b9b9f4
ae9a2d1c379be2581bd936e4f08c14bb
401508cc4fdc89759f9c78497943456b
source rpm(s):
5a086c30ec314b476ef3fcc7399b921e
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References