lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Sep 2022 00:58:32 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] 123ADV-001: Stack Buffer Overflow in Lotus 1-2-3 R3 for
	UNIX/Linux

# About

The 123 command is a spreadsheet application for UNIX-based systems that
can be used in interactive mode to create and modify financial and
scientific models.

For more information, see https://123r3.net

# Advisory

A stack buffer overflow was reported in the cell format processing
routines. If a victim opens an untrusted malicious worksheet, code
execution could occur.

There have been no reports of this vulnerability being exploited in the wild.

We take your security very seriously, in fact, this is the first known
vulnerability reported in Lotus 1-2-3 R3 since it's release in September
1990.

# Credit

This issue was reported to the 123elf project by dbastone.

# Solution

A new release has been prepared to resolve this issue, we recommend
affected users upgrade immediately.

https://github.com/taviso/123elf/

Lotus 1-2-3 releases for other platforms are affected, but are not
actively maintained. MS-DOS, OS/2, OpenVMS, z/OS and SysV/386 users are
advised to migrate to Linux to continue receiving updates.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists