Debians sikkerhedsbulletin

DSA-1270-2 openoffice.org -- flere sårbarheder

Rapporteret den:

20. mar 2007

Berørte pakker:

openoffice.org

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2007-0002, CVE-2007-0238, CVE-2007-0239.

Yderligere oplysninger:

Flere sikkerhedsrelaterede problemer er opdaget i OpenOffice.org, den frie kontorpakke. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

CVE-2007-0002
iDefense rapporterede om flere heltalsoverløbsfejl i libwpd, et bibliotek til håndtering af WordPerfect-dokumenter, som er indeholdt i OpenOffice.org. Angribere kunne udnytte disse fejl ved hjælp af omhyggeligt fremstillede WordPerfect-filer, som kunne få et program linket med libwpd til at gå ned eller måske udføre vilkårlig kode.
CVE-2007-0238
Next Generation Security opdagede at StarCalc-fortolkeren i OpenOffice.org indeholdt et let udnytbart stakoverløb, der kunne anvendes ved hjælp af et særligt fremstillet dokument til at udføre vilkårlig kode.
CVE-2007-0239
Der er rapporteret om at OpenOffice.org ikke indkapsler shell-meta-tegn, og dermed er sårbar over for udførelse af vilkårlige shell-kommandoer ved hjælp af særligt fremstillede dokumenter, efter brugeren har klikket på et forberedt link.

Med dette opdaterede bulletin leveres der kun pakker til den kommende udgivelse af etch, alias Debian GNU/Linux 4.0.

I den stabile distribution (sarge) er disse problemer rettet i version 1.1.3-9sarge6.

I distributionen testing (etch) er disse problemer rettet i version 2.0.4.dfsg.2-5etch1.

I den ustabile distribution (sid) er disse problemer rettet i version 2.0.4.dfsg.2-6.

Vi anbefaler at du opgraderer dine OpenOffice.org-pakker.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge6.dsc; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge6.diff.gz; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-he_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hi_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hu_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-it_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ja_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-kn_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ko_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-lt_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nb_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nl_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nn_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ns_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pl_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt-br_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ru_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sk_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sl_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sv_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-th_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tn_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tr_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-cn_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-tw_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zu_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-mimelnk_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-thesaurus-en-us_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge6_all.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/ttf-opensymbol_1.1.3-9sarge6_all.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge6_i386.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge6_i386.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge6_i386.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge6_i386.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge6_i386.deb
PowerPC:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge6_s390.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge6_s390.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge6_s390.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge6_s390.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge6_sparc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge6_sparc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge6_sparc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge6_sparc.deb; http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge6_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.