Lucene search

K
gentooGentoo FoundationGLSA-200712-25
HistoryDec 30, 2007 - 12:00 a.m.

OpenOffice.org: User-assisted arbitrary code execution

2007-12-3000:00:00
Gentoo Foundation
security.gentoo.org
10

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.026 Low

EPSS

Percentile

90.1%

Background

OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities.

Description

The HSQLDB engine, as used in Openoffice.org, does not properly enforce restrictions to SQL statements.

Impact

A remote attacker could entice a user to open a specially crafted document, possibly resulting in the remote execution of arbitrary Java code with the privileges of the user running OpenOffice.org.

Workaround

There is no known workaround at this time.

Resolution

All OpenOffice.org users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.1"

All OpenOffice.org binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.1"

All HSQLDB users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/hsqldb-1.8.0.9"

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.026 Low

EPSS

Percentile

90.1%

Related for GLSA-200712-25