Gentoo Logo

OpenOffice.org: Heap overflow in included libcurl

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200603-25 / openoffice openoffice-bin
Release Date March 27, 2006
Latest Revision March 27, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-office/openoffice-bin < 2.0.2 >= 2.0.2 All supported architectures
app-office/openoffice < 2.0.1-r1 >= 2.0.1-r1 All supported architectures

Related bugreports: #126433

Synopsis

OpenOffice.org contains a vulnerable version of libcurl that may cause a heap overflow when parsing URLs.

2.  Impact Information

Background

OpenOffice.org is an office productivity suite, including word processing, spreadsheet, presentation, data charting, formula editing and file conversion facilities. libcurl, which is included in OpenOffice.org, is a free and easy-to-use client-side library for transferring files with URL syntaxes, supporting numerous protocols.

Description

OpenOffice.org includes libcurl code. This libcurl code is vulnerable to a heap overflow when it tries to parse a URL that exceeds a 256-byte limit (GLSA 200512-09).

Impact

An attacker could entice a user to call a specially crafted URL with OpenOffice.org, potentially resulting in the execution of arbitrary code with the rights of the user running the application.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All OpenOffice.org binary users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.0.2"

All OpenOffice.org users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.1-r1"

4.  References



Print

Page updated March 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.