Gentoo Logo Heap overflow in included libcurl


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200603-25 / openoffice openoffice-bin
Release Date March 27, 2006
Latest Revision March 27, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-office/openoffice-bin < 2.0.2 >= 2.0.2 All supported architectures
app-office/openoffice < 2.0.1-r1 >= 2.0.1-r1 All supported architectures

Related bugreports: #126433

Synopsis contains a vulnerable version of libcurl that may cause a heap overflow when parsing URLs.

2.  Impact Information

Background is an office productivity suite, including word processing, spreadsheet, presentation, data charting, formula editing and file conversion facilities. libcurl, which is included in, is a free and easy-to-use client-side library for transferring files with URL syntaxes, supporting numerous protocols.

Description includes libcurl code. This libcurl code is vulnerable to a heap overflow when it tries to parse a URL that exceeds a 256-byte limit (GLSA 200512-09).


An attacker could entice a user to call a specially crafted URL with, potentially resulting in the execution of arbitrary code with the rights of the user running the application.

3.  Resolution Information


There is no known workaround at this time.


All binary users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.0.2"

All users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/openoffice-2.0.1-r1"

4.  References


Page updated March 27, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.