[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Thu, 22 Jan 2009 17:27:52 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com, oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- openoffice.org (CVE-2008-4841)
On Wed, 21 Jan 2009, Jan Lieskovsky wrote:
> What's the strategy in this case -- will we need a new CVE-2008 id
> for this issue && the openoffice.org1 case? (And if so, could
> you allocate one?)
A new one is needed since (I assume) it's not a shared codebase between
Microsoft and the Linux distros. A 2009 number is being used since the
announcement for this particular product was made in 2009.
Consider buffer overflows in FTP servers with a long username - same exact
bug, but at least 20 different implementations have been hit with it so
far.
Use CVE-2009-0259
- Steve
======================================================
Name: CVE-2009-0259
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0259
Reference: MILW0RM:6560
Reference: URL:http://www.milw0rm.com/exploits/6560
Reference: MISC:http://milw0rm.com/sploits/2008-crash.doc.rar
Reference: MLIST:[oss-security] 20090121 CVE Request -- openoffice.org (CVE-2008-4841)
Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/9
The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows
remnote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf
Word 97 file that triggers memory corruption, as exploited in the wild
in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar
issue to CVE-2008-4841.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux