USN-903-1: OpenOffice.org vulnerabilities

24 February 2010

OpenOffice.org vulnerabilities

Releases

Packages

Details

It was discovered that the XML HMAC signature system did not
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)

Sebastian Apelt and Frank Rei├čner discovered that OpenOffice did not
correctly import XPM and GIF images. If a user were tricked into opening
a specially crafted image, an attacker could execute arbitrary code with
user privileges. (CVE-2009-2949, CVE-2009-2950)

Nicolas Joly discovered that OpenOffice did not correctly handle
certain Word documents. If a user were tricked into opening a specially
crafted document, an attacker could execute arbitrary code with user
privileges. (CVE-2009-3301, CVE-2009-3302)

It was discovered that OpenOffice did not correctly handle certain
VBA macros correctly. If a user were tricked into opening a specially
crafted document, an attacker could execute arbitrary macro commands,
bypassing security controls. (CVE-2010-0136)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.10
Ubuntu 8.04

After a standard system upgrade you need to restart OpenOffice to effect
the necessary changes.

Related notices

  • USN-814-1: icedtea6-plugin, openjdk-6-jre-lib, openjdk-6, openjdk-6-jre
  • USN-826-1: mono, libmono-security1.0-cil, libmono-security2.0-cil, libmono-system-web2.0-cil, libmono-system-web1.0-cil