[Backports-security-announce] Security update for openoffice.org

2008-10-30T10:38:12
ID DEBIAN:F8B4C21A5950C43626F7E76DFFD2E722:9F782
Type debian
Reporter Debian
Modified 2008-10-30T10:38:12

Description

Rene Engelhard uploaded new packages for openoffice.org which fixed the following security problems:

Debian BTS #496361

left-over debugging echos writing into an insecure temp file can allow attackers to overwrite files on the system with the prvilieges of the user executing senddoc (File -> Send)

CVE-2008-2237 A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite

CVE-2008-2238 A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite.

For the etch-backports distribution the problems have been fixed in version 1:2.4.1-12~bpo40+1.

For the lenny and sid distribution the problems have been fixed in version 1:2.4.1-12.

Upgrade instructions


If you don't use pinning (see [1]) you have to update the packages manually via "apt-get -t etch-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.org/dokuwiki/doku.php?id=instructions>

We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically:

Package: * Pin: release a=etch-backports Pin-Priority: 200