oss-security - Re: OpenOffice.org CVE-2009-2139

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 22 Sep 2009 17:47:11 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Thomas Biege <thomas@...e.de>
Subject: Re: OpenOffice.org CVE-2009-2139

On Mon, Sep 21, 2009 at 02:42:20PM -0400, Steven M. Christey wrote:
>
> On Thu, 10 Sep 2009, Thomas Biege wrote:
>
> > CVE-2009-2139
> >
> > Manipulated EMF files can lead to heap overflows and arbitrary code
> > execution
> >
> >     * Synopsis: Manipulated EMF files can lead to heap overflows and
> >                 arbitrary code execution
> >     * State: Resolved
>
> We recently created CVE-2009-3239 to address an OpenOffice overflow in
> enhwmf.cxx/emfplus.cxx, as described in SUSE-SR:2009:015:
>
>   "This update of OpenOffice.org fixes potential buffer overflow in EMF
>    parser code (enhwmf.cxx, emfplus.cxx)."
>
> http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
>
> Is CVE-2009-3239 a duplicate of CVE-2009-2139?
>
> (If so, we would probably keep CVE-2009-2139 and remove CVE-2009-3239.)


Our text actually references the issues CVE-2009-2139 and CVE-2009-2140
but did not specify them due to an oversight.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2140

Both are go-ooo.org build specific issues.

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.