You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@openoffice.apache.org by "Dennis E. Hamilton" <or...@apache.org> on 2016/06/13 21:48:16 UTC

Fixed in AOO 4.1.2: CVE-2015-5313 .DOC Document Vulnerability

Republished without change.  This advisory, originally posted 
on 2015-11-04, died in a moderation queue and did not reach 
the list.  The announce@openoffice.apache.org is the official 
mailing list for Apache OpenOffice security advisories, as 
specified at <http://www.openoffice.org/security/alerts.html>.
This republication ensures preservation in the announce-list
archive.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                  NOTICE: APACHE OPENOFFICE SECURITY ADVISORY

                  CVE-2015-5213: .DOC DOCUMENT VULNERABILITY

                        FIXED IN APACHE OPENOFFICE 4.1.2

CVE-2015-5213
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5213>
Apache OpenOffice Advisory
<https://www.openoffice.org/security/cves/CVE-2015-5213.html>

Title: Memory Corruption Vulnerability (DOC Piecetable)

Version 1.0
Announced 2015-11-04

    A crafted Microsoft Word DOC file can be used to specify a
    document buffer that is too small for the amount of data 
    provided for it.  Failure to detect the discrepancy allows 
    an attacker to cause denial of service (memory corruption 
    and application crash) and possible execution of arbitrary 
    code.

Severity: Important

    There are no known exploits of this vulnerability.
    A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected

    All Apache OpenOffice versions 4.1.1 and older are affected
    OpenOffice.org versions are also affected.

Mitigation

    Apache OpenOffice users are urged to download and install 
    Apache OpenOffice version 4.1.2 or later.  DOC files having
    the defect are detected and made ineffective in 4.1.2.

Precautions

    Users who do not upgrade to Apache OpenOffice 4.1.2 should
    be careful of .DOC files from unknown or unreliable sources.
    A Microsoft Word 97-2003 DOC format file can be checked
    by opening it with software, such as Microsoft Office Word or
    Word Online, that rejects documents having this defect as
    corrupted.

Further Information

    For additional information and assistance, consult the Apache
    OpenOffice Community Forums, <https://forum.openoffice.org/>,
    or make requests to the <ma...@openoffice.apache.org>
    public mailing list.

    The latest information on Apache OpenOffice security bulletins
    can be found at <http://www.openoffice.org/security/bulletin.html>.

Credits

    The discoverer of this vulnerability wishes to remain anonymous.

PGP key Fingerprint 04D0 4322 979B 84DE 1077 0334 F96E 89FF D456 628A
        <https://people.apache.org/keys/committer/orcmid.asc>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWOpbcAAoJEPluif/UVmKKy24IAJFxpkSFlm0oH9lVSFi/7VNI
uJfd3cSOG7U4qCQ6QG52iYwBektdvoEMze650h7tQz6BE5Nu8ptMWXW9+crUUmMY
Tq8k5OHhP6Yzs1qe5qRLl2FgwB66aJdEYxo9EJVUB0AugYeZ2jgFkqktO3/soY67
elje8CnDTChD96Uh8OkW84L93RgPgua2a02rzJGOBPAjbMkr+BSwf4ubAvXnPzec
cvdPuO3ESxmwUI21uPducYF6oPITl1TAI14obxzL6dW5ltImtZuMT8cErtrsxed/
bKoum4DVDHF+Xp6/cOGto1qEIHkUzWB9SGFL6W3KPyY5aGcyi6FrLuQTC2uYkDQ=
=nAZW
-----END PGP SIGNATURE-----