__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenOffice.org Security Update [Red Hat RHSA-2007:0033-4] March 22, 2007 19:00 GMT Number R-187 [REVISED 28 Mar 2007] [REVISED 31 Jul 2007] ______________________________________________________________________________ PROBLEM: A flaw exists in libwpd, a library for handling Word Perfect documents. PLATFORM: Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4) StarOffice 6, 7, and 8 Office Suite SGI Advanced Linux Environment 3 Security Update #74 ProPack 3 Service Pack 6 DAMAGE: Could cause OpenOffice.org to crash or possibly execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. If a remote intruder can get a user to open ASSESSMENT: a carefully crafted Word Perfect document, he would get arbitrary code to run on a system with the privileges of the logged on user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-187.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0033.html ADDITIONAL LINKS: Sun Alert ID: 102807 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102807-1 Sun Alert ID: 102794 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102794-1 SGI Advanced Linux Environment 3 Security Update #74 SGI 20070501-01-P http://www.sgi.com/support/security/advisories.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-0238 CVE-2007-0239 CVE-2007-1466 ______________________________________________________________________________ REVISION HISTORY: 03/28/2007 - revised R-187 to add links to Sun Alert ID: 102807 and 102794 for StarOffice 6, 7, and 8 Office Suite. 07/31/2007 - revised R-187 to add a link to SGI Security Advisory for 20070501-01-P for SGI Advanced Linux Environment 3 Security Update #74 for ProPack 3 Service Pack 6. [***** Start Red Hat RHSA-2007:0033-4 *****] Important: openoffice.org security update Advisory: RHSA-2007:0033-4 Type: Security Advisory Severity: Important Issued on: 2007-03-22 Last updated on: 2007-03-22 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20070033.xml CVEs (cve.mitre.org): CVE-2007-0238 CVE-2007-0239 CVE-2007-1466 Details Updated openoffice.org packages to correct security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. iDefense reported an integer overflow flaw in libwpd, a library used internally to OpenOffice.org for handling Word Perfect documents. An attacker could create a carefully crafted Word Perfect file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-1466) John Heasman discovered a stack overflow in the StarCalc parser in OpenOffice.org. An attacker could create a carefully crafted StarCalc file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0238) Flaws were discovered in the way OpenOffice.org handled hyperlinks. An attacker could create an OpenOffice.org document which could run commands if a victim opened the file and clicked on a malicious hyperlink. (CVE-2007-0239) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Red Hat would like to thank Fridrich Štrba for alerting us to the issue CVE-2007-1466 and providing a patch, and John Heasman for CVE-2007-0238. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.2-38.2.0.EL3.src.rpm b37da0f69777dbf95a0e1d26909b35ab IA-32: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 x86_64: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.5-10.6.0.EL4.src.rpm cc2b005a7e4ca490d6eb434319d4cd86 IA-32: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-kde-1.1.5-10.6.0.EL4.i386.rpm a1a738a27f7165984b67982c3e5b33ab openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 x86_64: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.2-38.2.0.EL3.src.rpm b37da0f69777dbf95a0e1d26909b35ab IA-32: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 x86_64: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.5-10.6.0.EL4.src.rpm cc2b005a7e4ca490d6eb434319d4cd86 IA-32: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-kde-1.1.5-10.6.0.EL4.i386.rpm a1a738a27f7165984b67982c3e5b33ab openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 PPC: openoffice.org-1.1.5-10.6.0.EL4.ppc.rpm 1163cea51190a13eccc156bda3a9d106 openoffice.org-i18n-1.1.5-10.6.0.EL4.ppc.rpm f8ddc1fbae72f45d561e4bd2ac6b252c openoffice.org-kde-1.1.5-10.6.0.EL4.ppc.rpm bd10ada8487196145f37d3757ceb8710 openoffice.org-libs-1.1.5-10.6.0.EL4.ppc.rpm e7c03a7fc454c403c044721b2c609a9e x86_64: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.2-38.2.0.EL3.src.rpm b37da0f69777dbf95a0e1d26909b35ab IA-32: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 x86_64: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.5-10.6.0.EL4.src.rpm cc2b005a7e4ca490d6eb434319d4cd86 IA-32: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-kde-1.1.5-10.6.0.EL4.i386.rpm a1a738a27f7165984b67982c3e5b33ab openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 x86_64: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.2-38.2.0.EL3.src.rpm b37da0f69777dbf95a0e1d26909b35ab IA-32: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 x86_64: openoffice.org-1.1.2-38.2.0.EL3.i386.rpm af3e7f45faea7a291984f6eb0b4e17b3 openoffice.org-i18n-1.1.2-38.2.0.EL3.i386.rpm ce8d1c6142c11263e2f163dc4cea8a02 openoffice.org-libs-1.1.2-38.2.0.EL3.i386.rpm e1c1642358cba645277ee46abcfb0758 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: openoffice.org-1.1.5-10.6.0.EL4.src.rpm cc2b005a7e4ca490d6eb434319d4cd86 IA-32: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-kde-1.1.5-10.6.0.EL4.i386.rpm a1a738a27f7165984b67982c3e5b33ab openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 x86_64: openoffice.org-1.1.5-10.6.0.EL4.i386.rpm 75c200a0f9c848c2e5efa276ebea11cc openoffice.org-i18n-1.1.5-10.6.0.EL4.i386.rpm 40233631d085973a3ae0f0ac345afafc openoffice.org-libs-1.1.5-10.6.0.EL4.i386.rpm 22a6a84ce4d1a6f56f8ef66c49504645 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 223801 - CVE-2007-1466 integer overflow 226966 - CVE-2007-0238 StarCalc overflow 228008 - CVE-2007-0239 hyperlink escaping issue References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1466 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0033-4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-177: Linux Kernel Vulnerable to DoS via ipv6_getsockopt_sticky() Function R-178: Bind Security Update R-179: Sun Java System Web Server Vulnerability R-180: Kernel Security and Bug Fix Update R-181: OpenBSD's IPV6 MBUFS Vulnerability R-182: OPC Server Vulnerability R-183: OpenAFS Vulnerability R-184: libwpd Security Update R-185: CA BrightStor ARCserve Backup Tape Engine and Portmapper Vulnerabilitites R-186: Lookup-el