- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow
Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.openoffice.org/> OpenOffice is "an open-source desktop office
suite for many of today's popular operating systems. Tagged Image File
Format (TIFF) is a widely supported image file format". Remote
exploitation of multiple integer overflow vulnerabilities within
OpenOffice, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* OpenOffice version 2.0.4
Immune Systems:
* OpenOffice version 2.3
These vulnerabilities exist within the TIFF parsing code of the OpenOffice
suite. When parsing the TIFF directory entries for certain tags, the
parser uses untrusted values from the file to calculate the amount of
memory to allocate. By providing specially crafted values, an integer
overflow occurs in this calculation. This results in the allocation of a
buffer of insufficient size, which in turn leads to a heap overflow.
Analysis:
Exploitation of these vulnerabilities allows an attacker to execute
arbitrary code with the privileges of the user opening the file.
Exploitation requires that an attacker persuade a targeted user into
opening a maliciously crafted document. This could be accomplished by
hosting the document on a web site, sending the document via electronic
mail, or other means.
Vendor response:
The OpenOffice.org team has addressed these vulnerabilities with the
release of version 2.3. For more information, consult the OOo Security
Bulletin at the following URL.
<http://www.openoffice.org/security/cves/CVE-2007-2834.html>
http://www.openoffice.org/security/cves/CVE-2007-2834.html
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834>
CVE-2007-2834
Disclosure Timeline:
05/01/2007 - Initial vendor notification
06/14/2007 - Initial vendor response
09/17/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=593>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=593
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment