Date: Wed, 26 Nov 2008 00:01:53 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] editors/openoffice.org-2: document CVE-2008-2237 and CVE-2008-2238 Message-ID: <20081125210153.2B4B2F181D@phoenix.codelabs.ru>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] editors/openoffice.org-2: document CVE-2008-2237 and CVE-2008-2238 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: WMS/EMF processing flaws were found in the openoffice.org 2.x: http://www.securityfocus.com/bid/31962 >How-To-Repeat: Look at http://www.securityfocus.com/bid/31962 http://www.openoffice.org/security/cves/CVE-2008-2237.html http://www.openoffice.org/security/cves/CVE-2008-2238.html >Fix: Since 2.4.2 is in the tree, there is no point to upgrade any ports. I believe that openoffice-2-RC and openoffice-2-devel are vulnerable too, because vendor says about affected releases "All versions prior to OpenOffice.org 2.4.2". The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>openoffice -- arbitrary code execution by processing crafted EMF/WMF files</topic> <affects> <package> <name>openoffice.org</name> <range><ge>2.4</ge><lt>2.4.2</lt></range> <range><ge>2.4.20040402</ge></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Vendor notifies:</p> <blockquote cite="http://www.openoffice.org/security/cves/CVE-2008-2237.html">; <p>A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.</p> </blockquote> <blockquote cite="http://www.openoffice.org/security/cves/CVE-2008-2238.html">; <p>A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.</p> </blockquote> </body> </description> <references> <url>http://www.openoffice.org/security/cves/CVE-2008-2237.html</url>; <url>http://www.openoffice.org/security/cves/CVE-2008-2238.html</url>; <cvename>CVE-2008-2237</cvename> <cvename>CVE-2008-2238</cvename> <bid>31962</bid> </references> <dates> <discovery>2008-10-29</discovery> <entry>today</entry> </dates> </vuln> --- vuln.xml ends here --- I hope that the version specification catches all openoffice 2.x with x < 4.2 as well as -RC and -devel versions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081125210153.2B4B2F181D>