__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
OpenOffice.org Vulnerabilities
[Debian Security Advisory DSA-1104-1]
June 30, 2006 16:00 GMT Number Q-236
[REVISED 03 July 2006]
[REVISED 06 July 2006]
[REVISED 14 July 2006]
______________________________________________________________________________
PROBLEM: Several vulnerabilities have been discovered in OpenOffice.org,
a free office suite.
PLATFORM: Debian GNU/Linux 3.1 alias sarge
DAMAGE: 1) It is possible to embed arbitrary BASIC macros in documents
in a way that OpenOffice.org does not see them but executes
them anyway without any user interaction;
2) It is possible to evade the Java sandbox with specially
crafted Java applets; and
3) Loading malformed XML documents can cause buffer overflows
and cause a denial of service or execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker may be able to execute
ASSESSMENT: arbitrary code.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-236.shtml
ORIGINAL BULLETIN: Debian Security Advisory DSA-1104-1
http://www.debian.org/security/2006/dsa-1104
ADDITIONAL LINKS: Red Hat Security Advisory-2006:0573-10
https://rhn.redhat.com/errata/RHSA-2006-0573.html
Sun Alert ID: 102475
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security
Sun Alert ID: 102501
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102501-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security
Sun Alert ID: 102490
http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102490-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2006-2198 CVE-2006-2199 CVE-2006-3117
______________________________________________________________________________
REVISION HISTORY:
07/03/2006 - added links to Red Hat Security Advisory-2006:0573-10, Sun Alert ID: 102475, Sun Alert ID: 102501, and Sun Alert ID: 102490
07/06/2006 - updated note the correction in DSA 1104-1 was not sufficient
07/14/2006 - updated to note that Sun Document ID: 102475 and 102501 updated Contributing Factors and Resolution sections
[***** Start Debian Security Advisory DSA-1104-1 *****]
DSA-1104-2 openoffice.org -- several vulnerabilities
Date Reported:
30 Jun 2006
Affected Packages:
openoffice.org
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2006-2198, CVE-2006-2199, CVE-2006-3117.
More information:
Loading malformed XML documents can cause buffer overflows in OpenOffice.org, a free office suite, and cause a denial of service or execute arbitrary code. It turned out that the correction in DSA 1104-1 was not sufficient, hence, another update. For completeness please find the original advisory text below:
Several vulnerabilities have been discovered in OpenOffice.org, a free office suite. The Common Vulnerabilities and Exposures Project identifies the following problems:
* CVE-2006-2198
It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction.
* CVE-2006-2199
It is possible to evade the Java sandbox with specially crafted Java applets.
* CVE-2006-3117
Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code.
This update has the Mozilla component disabled, so that the Mozilla/LDAP adressbook feature won't work anymore. It didn't work on anything else than i386 on sarge either.
The old stable distribution (woody) does not contain OpenOffice.org packages.
For the stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge3.
For the unstable distribution (sid) this problem has been fixed in version 2.0.3-1.
We recommend that you upgrade your OpenOffice.org packages.
Fixed in:
Debian GNU/Linux 3.1 (sarge)
Source:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.dsc
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.diff.gz
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-he_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hi_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hu_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-it_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ja_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-kn_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ko_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-lt_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nb_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nl_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nn_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ns_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pl_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt-br_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ru_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sk_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sl_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sv_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-th_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tn_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tr_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-cn_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-tw_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zu_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-mimelnk_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-thesaurus-en-us_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3_all.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/ttf-opensymbol_1.1.3-9sarge3_all.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_i386.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_i386.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_i386.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_i386.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_i386.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_s390.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_s390.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_s390.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_s390.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_sparc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_sparc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_sparc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_sparc.deb
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_sparc.deb
MD5 checksums of the listed files are available in the original advisory.
MD5 checksums of the listed files are available in the revised advisory.
[***** End Debian Security Advisory DSA-1104-1 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Debian for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
Q-226: Vulnerability in Server Message Block
Q-227: Vulnerability in RPC Mutual Authentication
Q-228: Vulnerability in TCP/IP
Q-229: horde3 -- Missing Input Sanitising
Q-230: kernel-source-2.4.27 -- Several Vulnerabilities
Q-231: Cisco Secure ACS for UNIX Cross Site Scripting Vulnerability
Q-232: kdebase Security Update
Q-233: Mac OS X v10.4.7 Update
Q-234: Cisco Security Advisory: Multiple Vulnerabilties in Wireless Control System
Q-235: Cisco Security Advisory: Access Point Web-browser Interface Vulnerability