openoffice-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject Fixed in AOO 4.1.2: CVE-2015-5214 .DOC Bookmarks Vulnerability
Date Mon, 13 Jun 2016 22:58:46 GMT
Republished without change.  This advisory, originally posted 
on 2015-11-04, died in a moderation queue and did not reach 
the list.  The announce@openoffice.apache.org is the official 
mailing list for Apache OpenOffice security advisories, as 
specified at <http://www.openoffice.org/security/alerts.html>.
This republication ensures preservation in the announce-list
archive.  This is the final advisory to be reposted.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                  NOTICE: APACHE OPENOFFICE SECURITY ADVISORY

                  CVE-2015-5214: .DOC BOOKMARKS VULNERABILITY

                        FIXED IN APACHE OPENOFFICE 4.1.2

CVE-2015-5214
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5213>
Apache OpenOffice Advisory
<https://www.openoffice.org/security/cves/CVE-2015-5213.html>

Title: Memory Corruption Vulnerability (DOC Bookmarks)

Version 1.0
Announced 2015-11-04

    A crafted Microsoft Word DOC can contain invalid bookmark
    positions leading to memory corruption when the document is
    loaded or bookmarks are manipulated.  The defect allows an
    attacker to cause denial of service (memory corruption and
    application crash) and possible execution of arbitrary code.

Severity: Medium

    There are no known exploits of this vulnerability.
    A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected

    All Apache OpenOffice versions 4.1.1 and older are affected.
    OpenOffice.org versions are also affected.

Mitigation

    Apache OpenOffice users are urged to download and install Apache
    OpenOffice version 4.1.2 or later.  The defect is over-ridden
    in 4.1.2.

Precautions

    Users who do not upgrade to Apache OpenOffice 4.1.2 should
    be careful of .DOC files from unknown or unreliable sources.
    A Microsoft Word 97-2003 DOC format file can be checked
    by opening with software, such as Microsoft Office Word or
    Word Online.  The documents may be rejected as corrupted or
    extraordinary employment of bookmarks may be observable.

Further Information

    For additional information and assistance, consult the Apache
    OpenOffice Community Forums, <https://forum.openoffice.org/>,
    or make requests to the <mailto:users@openoffice.apache.org>
    public mailing list.

    The latest information on Apache OpenOffice security bulletins
    can be found at <http://www.openoffice.org/security/bulletin.html>.

Credits

    The discoverer of this vulnerability wishes to remain anonymous.

PGP key Fingerprint 04D0 4322 979B 84DE 1077 0334 F96E 89FF D456 628A
        <https://people.apache.org/keys/committer/orcmid.asc>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWOpcQAAoJEPluif/UVmKKrigH/A0mLESqnhDMotJt9umYR+83
n+AL5jzIFESgDyrWOOcpH1dFCm4Tqi4r48KpfgL1dGKj9W8V4XXEEaOQAjF6ITet
20hNBrY+BCaG2MjI8D7OH3J0tRL3NHBoUwkFXpK1LphRIfizxtp75L43I4bHU0kl
oSBn5KbXM6/NGmKLTKzTgJuxxz+QW1qTJPCnVTABegRojFRJhylZDx7+pOI+QIfX
NxlJ1EgPzeagQNqHVVSnVQIQvx7HnKuGTat1RQL46OqfTaEy4diNBrEdcZBvsh+E
iCOssXcttDqBsyPPhSiuimtnG0i6vyw3yD/MD9uxBWP/DJUiGL2uBi3r8Q+GI8Y=
=MFOH
-----END PGP SIGNATURE-----





Mime
View raw message