You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@openoffice.apache.org by "Dennis E. Hamilton" <or...@apache.org> on 2015/10/30 17:56:19 UTC
CVE-2015-1774 Advisory Update for Apache OpenOffice 4.1.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NOTICE: UPDATE TO APACHE OPENOFFICE SECURITY ADVISORY
CVE-2015-1774
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774>
Apache OpenOffice Advisory
<https://www.openoffice.org/security/cves/CVE-2015-1774.html>
Title: OutofBounds Write in HWP File Filter
Version 2.0
Announced April 27, 2015
Updated October 28, 2015
A vulnerability in OpenOffice's HWP filter allows attackers to
craft malicious documents that cause denial of service (memory
corruption and application crash) and possible execution of
arbitrary code.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected
All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.
Mitigation
Update to Apache OpenOffice 4.1.2 or a later version.
This mitigation drops Apache OpenOffice support for documents
created in "Hangul Word Processor" format. The filter is not
installed; it will not be used even if present.
Workarounds and Document Migration
Users of older HWP-format documents that are already trusted
should convert those documents to other formats before removing
the filter or upgrading to Apache OpenOffice version 4.1.2.
Apache OpenOffice users who do not upgrade can remove the
problematic filter themselves. The filter is in the "program"
folder of their OpenOffice installation. On Windows the filter
is named "hwp.dll", on Mac it is named "libhwp.dylib" and on
Linux it is named "libhwp.so". Alternatively the filter can
be renamed to anything else (e.g. "hwp_renamed.dll") to disable
its use.
Further Information
For additional information and assistance, consult the Apache
OpenOffice Community Forums, <https://forum.openoffice.org/>,
or make requests to the <ma...@openoffice.apache.org>
public mailing list.
Credits
Thanks to an anonymous contributor working with VeriSign
iDefense Labs.
PGP key Fingerprint 04D0 4322 979B 84DE 1077 0334 F96E 89FF D456 628A
<https://people.apache.org/keys/committer/orcmid.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJWMRKyAAoJEPluif/UVmKKabUIAKZV34B7Ey16PAc8/0cPlPgE
s03VNkMRL4gTutF7CZemgCS05IuMgNstvBmqOMhUKQhvYgwrCLCYmARAYDTCeAMv
dd4bpRgp1h7oq10P81Njts3IxKV/hjIqtY++D6BX/8ZSiyNpmBK2mj8UqArRiURF
ukr8ucJlkABfeGOEuM/mYUP3H1/lcGFce/Y+MuBXSBWU0aqm3edv5GtM/xdlYag4
VabhjS28CNpAoMNEAdI46yFJqTOTy+94ka80FZvNm/IIT/E3HBHTU80+W1JMD5W9
G19mhJsQcXIpiUaix13BytcIjVwehmOHLHzoLbB60OSUkIKGHhJCrfZ2gbgFH1Q=
=mH/G
-----END PGP SIGNATURE-----