[NEWS] Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor OpenOffice TIFF File Parsing Multiple Integer Overflow
Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.openoffice.org/> OpenOffice is "an open-source desktop office
suite for many of today's popular operating systems. Tagged Image File
Format (TIFF) is a widely supported image file format". Remote
exploitation of multiple integer overflow vulnerabilities within
OpenOffice, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* OpenOffice version 2.0.4

Immune Systems:
* OpenOffice version 2.3

These vulnerabilities exist within the TIFF parsing code of the OpenOffice
suite. When parsing the TIFF directory entries for certain tags, the
parser uses untrusted values from the file to calculate the amount of
memory to allocate. By providing specially crafted values, an integer
overflow occurs in this calculation. This results in the allocation of a
buffer of insufficient size, which in turn leads to a heap overflow.

Analysis:
Exploitation of these vulnerabilities allows an attacker to execute
arbitrary code with the privileges of the user opening the file.

Exploitation requires that an attacker persuade a targeted user into
opening a maliciously crafted document. This could be accomplished by
hosting the document on a web site, sending the document via electronic
mail, or other means.

Vendor response:
The OpenOffice.org team has addressed these vulnerabilities with the
release of version 2.3. For more information, consult the OOo Security
Bulletin at the following URL.
<http://www.openoffice.org/security/cves/CVE-2007-2834.html>
http://www.openoffice.org/security/cves/CVE-2007-2834.html

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2834>
CVE-2007-2834

Disclosure Timeline:
05/01/2007 - Initial vendor notification
06/14/2007 - Initial vendor response
09/17/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:labs-no-reply@xxxxxxxxxxxx>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=593>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=593



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Adobe PageMaker PMD File Processing Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerabilities are caused due to boundary errors when processing ... The vendor will be releasing a fix for the stack-based buffer overflow ... 02/06/2008 - Vendor asks for CVE identifier. ...
    (Securiteam)
  • [UNIX] Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities ...
    (Securiteam)
  • [NT] CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow ... Remote exploitation of multiple buffer overflow vulnerabilities in ... rxsGetSubDirs, rxsGetServerDBPathName, rxsSetServerOptions, rxsDeleteFile, ...
    (Securiteam)
  • [NT] Novell eDirectory Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Novell eDirectory Multiple Vulnerabilities ... Three different vulnerabilities were discovered in Novell's eDirectory ... NCP over IP length Heap Overflow: ...
    (Securiteam)
  • [NEWS] Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities ...
    (Securiteam)