lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 26 Jul 2013 07:56:20 +0200
From: Herbert Duerr <hdu@...che.org>
To: announce@...noffice.apache.org, dev@...noffice.apache.org, 
 users@...noffice.apache.org, full-disclosure@...ts.grok.org.uk, 
 bugtraq@...urityfocus.com
Cc: msvr@...rosoft.com
Subject: CVE-2013-2189: OpenOffice DOC Memory Corruption
	Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-2189
OpenOffice DOC Memory Corruption Vulnerability

Severity: Important
Vendor: The Apache Software Foundation

Versions Affected:
     Apache OpenOffice 3.4.0 to 3.4.1 on all platforms.
     Predecessor versions of OpenOffice.org may be also affected.

Description:

     The vulnerability is caused by operating on invalid PLCF (Plex of
Character Positions in File) data when parsing a malformed DOC document
file. Specially crafted documents can be used for denial-of-service
attacks. Further exploits are possible but have not been verified.

Mitigation:

     Apache OpenOffice 3.4 users are advised to upgrade to Apache
OpenOffice 4.0. Users who are unable to upgrade immediately should be
cautious when opening untrusted documents.

Credits:

     The Apache OpenOffice Security Team credits Jeremy Brown of
Microsoft Vulnerability Research as the discoverer of this flaw.

Herbert Dürr
Member of the Apache OpenOffice Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJR8g9+AAoJEDfnuKc+PLjJbqIP/2PaWKJvwYVXOmr33gVD4Kpx
Q2zzCfK/je3rJmK6PAfJpGB2ooKim00/Q/+G+gYvvi+35NQLk2dgfynkdhRiQP59
9DaPeNC7NDAjDgIk+8hC/reKmwfqdyyMj0FU/NwIIjEsMPMzKl3Vc1svEN9vz5GN
lc3fLORH5GPUVZkwJfV+C+CyBCLk3Yurxd4GNTBpqFKmbR7ENQmKPAmH5gEMIZO7
iCSzGK4terEUjUtAmvHy4yFlZtHz33XgvMZZrbE92y7ppoury8ZN4mb42vAowTDQ
+JSGtBKCGPDQRaoDOJdwhafgFcnRu10sJbUtYMmSy9qcZNq6JFHe2aR7+j9h0pN+
c85HgwM/NyCjmw8y5EhD+3Cjwc6AlF9olekPSUui7x+6svDj3uVSM4/tpg/pPXLn
0SLB8r6BrxfP5naqMFwISdbSZaQiGuV3JvFhz7VB6k8tMuzIgI8Huw9IT28LP34F
Yxn2VCvzHpZOpWHB9lYORxn1GI+WlrSrKvbaZYUOnBm8fniLHuRSSrra+IWOZqjW
UbCko1gtr0A0b9HEeuVVeJAKyXEL52hUUJ2RmZfGJdWGLC/k/8i+s4Ppvqzmf3r2
ujAfn89Vhk12cAb5NXidV4Nh8Ko82Ow32GBBHlavPHX5T5LVnGNa6CWGoctuQGru
T6rrd/hV6DXtMmgWPTPH
=t46D
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ