-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: OpenOffice_org
Announcement ID: SUSE-SA:2006:040
Date: Mon, 03 Jul 2006 16:00:00 +0000
Affected Products: Novell Linux Desktop 9
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Desktop 1.0
Vulnerability Type: remote code execution
Severity (1-10): 8
SUSE Default Package: yes
Cross-References: CVE-2006-2198, CVE-2006-2199, CVE-2006-3117
Content of This Advisory:
1) Security Vulnerability Resolved:
OpenOffice_org security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Following security problems were found and fixed in OpenOffice_org:
- CVE-2006-2198:
A security vulnerability in OpenOffice.org may make it possible to
inject basic code into documents which is executed upon loading
of the document. The user will not be asked or notified and the
macro will have full access to system resources with current user's
privileges. As a result, the macro may delete/replace system files,
read/send private data and/or cause additional security issues.
Note that this attack works even with Macro execution disabled.
This attack allows remote attackers to modify files / execute code
as the user opening the document.
- CVE-2006-2199:
A security vulnerability related to OpenOffice.org documents
may allow certain Java applets to break through the "sandbox"
and therefore have full access to system resources with current
user privileges. The offending Applets may be constructed to
destroy/replace system files, read or send private data, and/or
cause additional security issues.
Since Java applet support is only there for historical reasons,
as StarOffice was providing browser support, the support has now
been disabled by default.
- CVE-2006-3117:
A buffer overflow in the XML UTF8 converter allows for a value to
be written to an arbitrary location in memory. This may lead to
command execution in the context of the current user.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of OpenOffice_org
after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
649b45c223e2eef491f3e89b457be3f2
09afa80d882ab9c1388139874e7107e9
70d9cf35ca87e78f8a30821ba271ac30
d044a2f22c518322ea35388adb7d8bd0
37cac5cbe14215491e65f78fd7d1f013
f458c2b61425e171b556a40e918d07db
0af5024dafc41d80456eb14950cbcdb5
ef66e97820d34e6f61c0f0dc61e0f690
d8055edb875cd9fe2e5f441873c7b1f1
1888f3c8225796823fb77a2ee40b7a3a
08114d9d40b506c69e8d801e4a7ed32c
5fab3729eecc0464eb10b28469057989
e4005f3cea8aabdd53be930297cd4f6d
d1e42f731b53e91831d408cd405368ac
c79f60fe55e03dd7cd6600f202187479
9c7972e70611f20134f9fe5475789717
13ee2cd4fd0e32622bae32eaa1bf1256
b979f10a559b5cb0e76c6933840af921
2d0e850814a6283c5d179a33b1da7b2d
bce3d5bd63fc5e11789162c8fb223cee
e0afe5d68098a3bd247db2451315bb28
3a68ebbe6dc351903f6242618ad645fb
570b6f273047682706dd3d4fe64f4bc7
70c75a7e0e15f701e35228c8d7ec8c55
c6a70315e98476882cf77a393efd6974
3f5c0a8af36797b3a554d3a24b2c00ef
160ea2698657b98e7e621d942919b65e
d810b4aee9fe30edd0263cdae3196060
e511be49fe7e2c967e3da2905a3f7fbe
82a12d481f04d019c0cec2209c2a2971
61d2b26bfa1f51afaf80ec617bf3e663
fa19baea78646e2b4991431d3ddfec27
66828e59320aa46d7e54a0f1235872c1
d23fa6f7f3913c13ba5b8bd1c04f0df8
e57a48a0cc278bd99793defe4201eefe
eb6ef2bc250858f9b20db76c5cd706da
4e6209b8d5247782d9d84ad1f30d34fa
0f191b0c65719f13b8f8f044f8f39e69
10bc6833827d7ec7c07c4a8116a3d12e
dfd0aca0d185b942c613e93acd48d8ce
c5cc18748bb6b9b6bca0435f07c7a253
cf1a3177bdedeff1ae1e491ac11530c1
519ea269f02a82bfd1f8d958fa370738
4003034be001b7775dca81ddb9a97a83
021db8f722c96457843f03d62b10a649
67a45bee7269d2ef389e583b7e3508e4
4d61096578a3755addedd9bbeffadaaa
fdb321de8e74127118b49a8d7ce41434
7cd9351904a78c9171694cd0b9e02f32
deb40352002369f87ef792393b49ce86
b797651549b5bb641e041980ff0a8141
b7d6c8f0289d43ea2f8faec91350aadc
SUSE LINUX 10.0:
da78f2aa9188797b1cd3e299b49209b5
caa54cab09c89e637f3f1c1df7a67dce
48487a3fb8fa411db5d370f6aa6eafb7
b4fdab8ecd23508fd55d277b2bb5f11a
ff685813e964117486bc5c711db3e561
deebd2abe143a43f48fda9a3446e41a5
a49e6ccee5faf1add6910ad40e291b17
ec4c7b05bf68fe257a914cf2711ef5c8
1e942a4ba31edd58f1545f0df035c6f3
19a16d84bb786add605f3ad611598d7c
711ce212e0d745a208844dbb42742ab5
5609ba537669f78b844434631c40c3c7
10f730be1719398ebbc333a42e7bb8f7
ae5ccd77c6250a093710011aaebd58b2
825f37194b7791ba2b26d724050d430b
e87717e887825ef26215f5e00234914e
a08767175cbc2cb92fd43bdc85847d32
23bc8ec9d9be1f6713f27c79ceacbb49
17af1071ce462563c17edadc195c070f
bef07a2731af1b2c8ebc54bc274b9cb7
70498b4072c1d36e97907947744a65cd
abafcf2c00d0a339632a1e8f45380a7d
65bdb71368174c3f2f14942be4d66544
f9af53897841b85754a2c228beee72e1
f8ceceef6b26f932435537e8f5062eb7
95f52980240c4904ae35dc3d34e59363
971ac59d5c5e7fb123d710dadbace416
ff3ad25a65a8c463ebb1797b2ba9175b
b550d2826df4ef2b806e9e719055a05e
db460e9c304252e2b7c986c958476d9e
89c4e4cee07eb4b200f82151176f9c7a
21e44d9925f756ff1898af3a864a93d6
84330671533bd4c5808487280dee2f5b
e3ec47019c925d90393c91a5ddf25124
5fe40d8ac239fe2fda04b7b536bc49c1
d6434c0982660b35cc6817f40b5c1c94
10c350525d66fd482edd5714622a7b69
f9a347406c614908c53f7cff130a1d30
b9873b16314f7d2af4ba13f7920a9a4d
3248cb2fdde4037305da28bb83b41250
1fbc7f91551db60b1ee0698b3558ec11
a3e9ce2da19dc3a8e60408099191c477
983421f7b45c6ccc3abcdd17d951e768
6f4a51458731a1d160e30d40d0bb5e5c
4b2421c9d8408c70017b097459e9a25c
SUSE LINUX 9.3:
26b4d9dbc015942ccb19d701acb328df
338dbc688a48f9db20087d544340a14f
b6cde4d6483eb17f7a925cbf153f8b83
270729a1ddb07753e2eba7327763f136
50e03a4624b3401afa756881616676da
09aba02d13551ecd5ec002f3794b9d68
49dcfc49c4b53bd825fdea5491bcaf95
c950792706b2a595166ed94cad4c13ce
2b9e239e2bfed188f38ace3f2e263a2a
e436591bb58f036d6dbc9c563b36bc60
cafed2dbe15aeb4ee30ea34748f2b3aa
7da16da80c36abf50270ae764bdf60f8
1446b0f9bedb86b9fb62ad769ca52379
44fac316ec36214a9f5f82c11eebe910
b4692f2c954216c3e149a7464cde5574
c929442e498729484723c476a8956eea
9261e230d4ee41317585f55f74e6b4bd
1fdcc5d6d3c6dfb30d0060c53adfc0ca
de4fe2b074eace927af5814cb8d5e4ac
303cc03f4ca6f1d4fc316abe5e9e087a
8923c18240d104c19849f9a3b5b719ca
ede0ae1a4cf6a960d8529bb3b82b18ed
b5ae3309f069c95bad88b1a39e47c33e
442a18ee93e2bcdff52f7e92122747c3
cebf0930ab9475628c176dc833c87055
46d852b7681131e640dec1d11d9b5d67
9a388bab6e2af9d100e2964dd87b5e34
SUSE LINUX 9.2:
3404ebdb749babddc0065120e351da8f
5a2ab250098d10f224a08e9f85eb5038
824b17f0444ff9bbe255999a26c4d079
4f8bb4aa2df22a21ec8971e14189e19e
02d3606b13e6757ad889d8baadaab914
d316856e7d15e533f6c9d058534e1406
f2b4121b81fa40240f1930363bac4a54
bcbe1e06359210be24e1614242b65f3c
0f4d6a6283e92889e17540b3a819dea5
a5554ef59fa8498def24ddb860fdd672
30535e484bd1e0de6ce7822fd58c7c47
21fd9ea2f970870b5fdbd5ac282b01d7
04cbf860584bbfe640075912810d85b6
b7d2bd841d972a08f82c3a25b04cc985
9df2f98463db7e68095bf70194739f62
13f7e1fbba69c93d6f8618322c0653f7
d795619af7d8b78d3c378ce8f06c4a6e
9ae90d991758549494e457b418bd582b
c4df7b850627a94d1d7c497716da4a69
cb20f834ad2004159efe572007c8252c
84182e2dec58664fb4356f797e8bdec6
265f6aa28cfd6499eab7e7e5860a6b44
97560149c00f283860b372c67e3700ca
6f2864c9361f66457d8882d83b14b5b8
0591dfed4d88e1d400230eaa0392f479
666edec0b1a397ad2413ad72ebc6b4c1
689edd2066ecf91916a1d4c7ba23aa99
06c44a641a1b617d7c6b501688972655
SUSE LINUX 9.1:
53e8171e949bc12da39a29388a118d44
11814b3f46dc0be180421f5e1a79d12a
a8c9285df1bbdc320b4c5b5aee056559
ddd367fa5f6cbb427e9d148115b49c34
7eaca9d4205c29926684f20d3eababb3
bdecfc05bde7573b0eb153fb05396f33
693d371adf34246154c1c4f181cbd32a
f52dd53e16f0a21e9136d99867a4db82
bedf5c2c7496cbcfc2ccd2ca7f6db9ca
b49ccc9ba19ea53fe35c8d4e8f1f276f
67c337e0dbba37f5d81a60f47dfd1eb9
3a45967f359fae8fc4f3c701ad2231fc
4a91baac0693a23bc477136c2131fe1b
3880ef7ef1f60165d43a10cd6a746426
a5d9a200ae1c078217c62ee7a8a78b6e
508f34526e700e9ddf0234d5cd587aa4
bc160723b53a3c651737aebb251833bc
5630cdd456d7325a74071c0eefff2018
596010219ffb37e3df8d0f2a4c25d5af
b5610c4117a7914cc52d718be3d43878
adcfa58f60e1b0c75db2ac7e7da4bd0b
f7e2ee28b2d37369edd474d44e44e4bc
1ad1791f5b01cf29c3506c03b62ffaa8
97b11b36c15d44d8f7f751a13692bf68
53e8171e949bc12da39a29388a118d44
11814b3f46dc0be180421f5e1a79d12a
a8c9285df1bbdc320b4c5b5aee056559
ddd367fa5f6cbb427e9d148115b49c34
7eaca9d4205c29926684f20d3eababb3
bdecfc05bde7573b0eb153fb05396f33
693d371adf34246154c1c4f181cbd32a
f52dd53e16f0a21e9136d99867a4db82
bedf5c2c7496cbcfc2ccd2ca7f6db9ca
b49ccc9ba19ea53fe35c8d4e8f1f276f
67c337e0dbba37f5d81a60f47dfd1eb9
3a45967f359fae8fc4f3c701ad2231fc
4a91baac0693a23bc477136c2131fe1b
3880ef7ef1f60165d43a10cd6a746426
a5d9a200ae1c078217c62ee7a8a78b6e
508f34526e700e9ddf0234d5cd587aa4
bc160723b53a3c651737aebb251833bc
5630cdd456d7325a74071c0eefff2018
596010219ffb37e3df8d0f2a4c25d5af
b5610c4117a7914cc52d718be3d43878
adcfa58f60e1b0c75db2ac7e7da4bd0b
f7e2ee28b2d37369edd474d44e44e4bc
1ad1791f5b01cf29c3506c03b62ffaa8
97b11b36c15d44d8f7f751a13692bf68
Power PC Platform:
SUSE LINUX 10.1:
e21cad16a35adad9fd8e3d0e7e9ab498
876b500b3f18de7c0d58ce88e2df20ce
23cbab6c8716578bff90a9e02e743025
5a903ee3eb25bcb32777f6aec9bd175e
b292d0d57426a337922c24905eb5d750
f00188672e300175eb73f97aefa764d3
91120c3c2e6b9c76f9cff151d78b8cd6
4258ff54ce0dcb002fd22a315e9e9f75
a012edaed3561ac90cb35bcfbc8bfd3d
5a0e25512a8913b63aa13d8216fa5925
20134831a9f76cd62cb28a5e6522bc8b
56cf83797527301f0856027ce5ae8b8e
fab867572119eeb6e7a1fb9d201ca858
581316fc893fbc3c15937e070fea5458
3c49f9e412fda548b694d8ceadefbf2c
7523ade7b3403b9134968537c342af7a
94e609de323fd6f11ef227f72a986e65
d6675d798537c7383a36b33d3731f03e
0f5ee2d05b9de160f44368d75ec203ad
a9655d354b6cdd2dc9a7f7e77556b4ff
40b670c08df5a37aeb5a8f83c6d4b896
6807e1c5f023d405539f8625413e14a3
02293cd1817b99f636c88df6d9fd52cc
5269f63982b7b68278da1b69df3f2d57
f853f2d32b1f4c0f7ff805a0541cd106
835afe1890f61dd8b0b3bc52e4906a70
037e3fa756caeec84ec7f0834fbd976a
33047e34386cad97b73e10aa6d5eeb2f
4b84f8a6088ef595746854511bb6b233
b3bb797798bb3425c5c74117c83ade07
2960798993563198a0a82dfcba836054
77fbf36aa00f7ec5852417aa20e12b6d
30582274e6f6a11b53a9d612da184fb1
4d4664bad0185d33dcf04069094ddabe
f41533305958c65ad9b49e0f2b7ea49b
11099b4a2a05f50c64fe0becdf02a7d3
3f8b8b3c6f78152cf9b76086cd4587e9
c79c91f6bf2ca7fd9d2f82f996b1e347
24e59b2661985f3734648c8439419108
51b6ffbeeae68502a59883a5b0672fed
a5b6d505578753737ef297ea51c3ad01
6b477f4856b761eea4f661e59d055803
9e1251123ec54c499caf01f19c501bcb
fe44fe3998f9d7a30d9a9127c284eb92
c82836cdfe99eaa4c2ba82f37f93d72d
1e2fcbaa9f47748b446e1cd043de22bf
20db8260798bf038a591f649678945d7
8ef1e82d5bd643fd80e1c8bea67027da
e8659fe51475a2c8fdf758eaa307846c
99b5e6854a5d4c9d48f363add47628e0
ac398efb31231d9c8aa4ec858a36e6c6
33e7011b6af2919f2a12baacf208a9e6
SUSE LINUX 10.0:
61d9d5bc7aac7849cb4cbfb8790f37a6
da05207bba91da697c94c488e3156889
d1bc8359d869f1a4172eb51020b3326a
74053d44c643c03ffa40a6de76aa027d
c1725913b432af8f3ec439f04a40c7a2
414d67ef5587e8ac8603bf2c425562a5
b52cfc169e34ddd48ab924ef83260764
8454d64c4b93e4446597d7906508bf3c
d5912a847b4f5b5785c998992e588ca8
a96be7030a4ec3caea6b0546cd6bf8c9
470ae19a03ea33aac71519f175597f43
12e1b829b543c4de8f5cd30d6e7a2b11
07fe62feda63bd45b37b00b289cf4eee
0062b22b187ef897b7ba868653dac095
f6d38c40d984ae481482374a8eab6c65
b946608cdf61b99da92e1f5a671c2ff2
b49d7ae870ee8c00d051c5449fdaa7b1
6bbe65a7e920012e5595dd6bfdef48c5
29972433d06db409d3af4e9856921faa
677c7f83e4ab91c6396a910e955ac0ea
4d08a84837dfc2a0e6b2329f6c172d0b
5e3465a80a21b7632b21a35b83d4ed2c
b37e2abd09b9a1c385f9cfeefc7cb918
b399f2a47aa9fdc09c26b34ccead77d3
8ff6cc73c265b253c870a7b622f045f0
324bdcbc6d2e67e397e4fe025332fceb
96c3db3801bd35886c95e7af67bb6449
20b832a3190837501871d65011e0f7df
29735fa76ba9ecb3a794052ed1bb6cd6
93c364471320695312ce4f0d7e441fce
45b09d3f52fab3ef3abf682d610400f5
5430ae8cc447a0f9cfc5e56f594e9aa3
d38c63c6e62b5acd962bb89cec6e7bcc
7b197b21ad3473745726cb5cd034c73b
e4f5917800a94a1c9a220db9b20472c0
29b7170afbd030a79e3e165de7e70f5a
eb0cecbaa8ee9f990a60af2439d87247
478c2c8b3e40d94e629372f43bd0b2da
ecb2ac813fecdbe1fe0a30bf2b49343e
85a276e3fd03f0dba981f5a8f27043f3
3aad86d3301f6306c5ac40dcc8f680d4
0d8866b667cc40caba33c67c21d413a6
d7d069ad57a36f21fc07919566dcf38b
abce5f68f7398e6a2465cd489a826f8b
d9a220df58f6b192ee2a23271dc4bbe4
Sources:
SUSE LINUX 10.1:
b125986f9b6951f506ccfa47ee725f9e
SUSE LINUX 10.0:
38a6066b04cd70cb3f0b5a110ed61161
SUSE LINUX 9.3:
86d35626732e626bd123b526d45df374
SUSE LINUX 9.2:
c9983e539cbd07f2c7e260e955b1896b
SUSE LINUX 9.1:
a0c54aa34852c50994e32b1c688ffd8c
a0c54aa34852c50994e32b1c688ffd8c
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SuSE Linux Desktop 1.0
Novell Linux Desktop 9 for x86
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
