lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53F5EDF8.6070200@apache.org>
Date: Thu, 21 Aug 2014 15:02:48 +0200
From: Herbert Duerr <hdu@...che.org>
To: announce@...noffice.apache.org, dev@...noffice.apache.org,
  users@...noffice.apache.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE
 Objects

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-3575
OpenOffice Targeted Data Exposure Using Crafted OLE Objects

Severity: Important
Vendor: The Apache Software Foundation

Versions Affected:
	Apache OpenOffice 4.1.0 and older on Windows.
	OpenOffice.org versions are also affected.

Description:
        The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties.

Mitigation:
	Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when they are asked to "Update Links" for untrusted documents.

Credits:
        The Apache OpenOffice security team credits Open-Xchange for reporting this flaw.

Herbert Dürr
Member of the Apache OpenOffice Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iQIcBAEBAgAGBQJT9e3wAAoJEDfnuKc+PLjJC8gP/2ZLgMRO9r2YyAbEWl6iA1gP
eVtq6I6O5W9a0ov1zGpbBaPVqZGMCGPDgsdTBUmm2FRAY0U0Yz0bflpGcSUdIpJ/
ULMp6TLfgb24PpiySOQHRvz/6QDsTTgkEyKClkM3THzvNXh6mSCExaDsDv8fseaJ
y1tvTRHrHLeG+lZKPwDnIvDYDSONYNksK/e7gcF5rjNZpmcl6F4gZmMcm1j1TP1a
HbsgOzMpC+A0X26VfuDapYBT6mjeITS6+ZReAcD3sPul95UK/BQ6qU29dvDY7uYg
7U9vzr2155uyv9qUx0UqE2XRKIHfUEhhxHZqFtTVlllkv34E1PNNYdhzUUYDuo4w
W4+GhrebUaArIeQNd1KLCgvnQ0O6ykegV/Rc+OIgG/8DOyC18SS3r11nLs0L0pDe
WmBfOii2OaS/d0RrOdHFsNpscSL1dRaGOXLDD5lxm2VPp6D3TgCM9UgNnBzF4u3S
4lKid1JlxswFbOOT0hNrX7V/kwx9Z2DfDzw8EmjLZGmiH1W3u99EZxmIlKZQRwrg
3enbMuSADsrWSjnxxmwlJD6iT0AaBEJ30doxqnfftIbNt4+r45fSPRPWYriQZ00j
7a+CrKLfBS9ctuXChldWGtgbh4Pkq3RxsVhAw7aiIQdII53v8086A/jzVU0zYNN8
AUxJRYsI1SGTlytbeP0o
=2Y3B
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ