[NEWS] Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 20 Sep 2007 09:42:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow
<http://www.openoffice.org/> OpenOffice is "an open-source desktop office
suite for many of today's popular operating systems. Tagged Image File
Format (TIFF) is a widely supported image file format". Remote
exploitation of multiple integer overflow vulnerabilities within
OpenOffice, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code.
* OpenOffice version 2.0.4
* OpenOffice version 2.3
These vulnerabilities exist within the TIFF parsing code of the OpenOffice
suite. When parsing the TIFF directory entries for certain tags, the
parser uses untrusted values from the file to calculate the amount of
memory to allocate. By providing specially crafted values, an integer
overflow occurs in this calculation. This results in the allocation of a
buffer of insufficient size, which in turn leads to a heap overflow.
Exploitation of these vulnerabilities allows an attacker to execute
arbitrary code with the privileges of the user opening the file.
Exploitation requires that an attacker persuade a targeted user into
opening a maliciously crafted document. This could be accomplished by
hosting the document on a web site, sending the document via electronic
mail, or other means.
The OpenOffice.org team has addressed these vulnerabilities with the
release of version 2.3. For more information, consult the OOo Security
Bulletin at the following URL.
05/01/2007 - Initial vendor notification
06/14/2007 - Initial vendor response
09/17/2007 - Coordinated public disclosure
The information has been provided by <mailto:labs-no-reply@xxxxxxxxxxxx>
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [REVS] Windows Personal Firewall Analysis
- Next by Date: [NT] Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability
- Previous by thread: [REVS] Windows Personal Firewall Analysis
- Next by thread: [NT] Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability