Mandriva Linux Security Advisory : openoffice.org (MDVSA-2011:027)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities were discovered and corrected in
OpenOffice.org :

Multiple directory traversal vulnerabilities allow remote attackers to
overwrite arbitrary files via a .. (dot dot) in an entry in an XSLT
JAR filter description file, an Extension (aka OXT) file, or
unspecified other JAR or ZIP files (CVE-2010-3450).

Use-after-free vulnerability in oowriter allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via malformed tables in an RTF document
(CVE-2010-3451).

Use-after-free vulnerability in oowriter allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via crafted tags in an RTF document (CVE-2010-3452).

The WW8ListManager::WW8ListManager function in oowriter does not
properly handle an unspecified number of list levels in user-defined
list styles in WW8 data in a Microsoft Word document, which allows
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted .DOC file that triggers
an out-of-bounds write (CVE-2010-3453).

Multiple off-by-one errors in the WW8DopTypography::ReadFromMem
function in oowriter allow remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
crafted typography information in a Microsoft Word .DOC file that
triggers an out-of-bounds write (CVE-2010-3454).

soffice places a zero-length directory name in the LD_LIBRARY_PATH,
which allows local users to gain privileges via a Trojan horse shared
library in the current working directory (CVE-2010-3689).

Heap-based buffer overflow in Impress allows remote attackers to cause
a denial of service (application crash) or possibly execute arbitrary
code via a crafted PNG file in an ODF or Microsoft Office document, as
demonstrated by a PowerPoint (aka PPT) document (CVE-2010-4253).

Heap-based buffer overflow in Impress allows remote attackers to cause
a denial of service (application crash) or possibly execute arbitrary
code via a crafted TGA file in an ODF or Microsoft Office document
(CVE-2010-4643).

OpenOffice.org packages have been updated in order to fix these
issues. Additionally openoffice.org-voikko packages that require
OpenOffice.org are also being provided and voikko package is upgraded
from 2.0 to 2.2.1 version in MES5.1.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Mandriva Local Security Checks

Nessus Plugin ID: 51982 ()

Bugtraq ID: 46031

CVE ID: CVE-2010-3450
CVE-2010-3451
CVE-2010-3452
CVE-2010-3453
CVE-2010-3454
CVE-2010-3689
CVE-2010-4253
CVE-2010-4643

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now