openoffice.org security update

2008-06-14T08:53:15
ID CESA-2008:0538
Type centos
Reporter CentOS Project
Modified 2008-06-27T10:25:27

Description

CentOS Errata and Security Advisory CESA-2008:0538

OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program.

Sean Larsson found a heap overflow flaw in the OpenOffice memory allocator. If a carefully crafted file was opened by a victim, an attacker could use the flaw to crash OpenOffice.org or, possibly, execute arbitrary code. (CVE-2008-2152)

It was discovered that certain libraries in the Red Hat Enterprise Linux 3 and 4 openoffice.org packages had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run OpenOffice in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-2366)

All users of openoffice.org are advised to upgrade to these updated packages, which contain backported fixes which correct these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2008-June/027016.html http://lists.centos.org/pipermail/centos-announce/2008-June/027017.html http://lists.centos.org/pipermail/centos-announce/2008-June/027084.html http://lists.centos.org/pipermail/centos-announce/2008-June/027085.html

Affected packages: openoffice.org openoffice.org-i18n openoffice.org-kde openoffice.org-libs

Upstream details at: https://rhn.redhat.com/errata/RHSA-2008-0538.html