Integer overflow in the KPresenter import filter for Microsoft PowerPoint files (filters/olefilters/lib/klaola.cc) in KOffice before 1.6.1 allows user-assisted remote attackers to execute arbitrary code via a crafted PPT file, which results in a heap-based buffer overflow.

An integer overflow was discovered in KOffice's filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a security problem in the OLE import handling for PPT files, where attackers with crafted documents could crash kpresenter and potentially execute code. (CVE-2006-6120)

Updated KOffice packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

KOffice is a collection of productivity applications for the K Desktop Environment (KDE) GUI desktop.

An integer overflow bug was found in KOffice's PPT file processor. An attacker could create a malicious PPT file that could cause KOffice to execute arbitrary code if the file was opened by a victim.
(CVE-2006-6120)

All users of KOffice are advised to upgrade to these updated packages, which contains a backported patch to correct this issues.

A new koffice package is available for Slackware 10.2 to fix a security issue.

An integer overflow was discovered in KOffice's filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user's privileges.

The updated packages have been patched to correct this issue.

The remote host is affected by the vulnerability described in GLSA-200612-05 (KOffice shared libraries: Heap corruption)

    Kees Cook of Ubuntu discovered that 'KLaola::readBigBlockDepot()' in     klaola.cc fills 'num_of_bbd_blocks' while reading a .ppt (PowerPoint)     file without proper sanitizing, resulting in an integer overflow     subsequently overwriting the heap with parts of the file being read.
  Impact :

    By enticing a user to open a specially crafted PowerPoint file, an     attacker could crash the application and possibly execute arbitrary     code with the rights of the user running KOffice.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
27971	Ubuntu 5.10 : koffice vulnerability (USN-388-1)	Nessus	Ubuntu Local Security Checks	medium
27304	openSUSE 10 Security Update : koffice (koffice-2323)	Nessus	SuSE Local Security Checks	medium
24676	RHEL 2.1 : koffice (RHSA-2007:0010)	Nessus	Red Hat Local Security Checks	medium
24664	Slackware 10.2 : koffice (SSA:2006-357-04)	Nessus	Slackware Local Security Checks	medium
24606	Mandrake Linux Security Advisory : koffice (MDKSA-2006:222)	Nessus	Mandriva Local Security Checks	medium
23857	GLSA-200612-05 : KOffice shared libraries: Heap corruption	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2006-6120

high

Tenable Plugins

medium

medium

medium

medium

medium

medium