Date: Wed, 21 Jan 2009 14:13:46 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: CVE Request -- openoffice.org (CVE-2008-4841) Hello Steve, CVE of CVE-2008-4841 has been assigned to the following WordPad Text Converter for Word 97 vulnerability: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure. With references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4841 http://www.milw0rm.com/exploits/6560 http://milw0rm.com/sploits/2008-crash.doc.rar http://www.microsoft.com/technet/security/advisory/960906.mspx http://www.securityfocus.com/bid/31399 http://www.securityfocus.com/bid/32718 http://securitytracker.com/id?1021376 http://secunia.com/advisories/32997 Found out, this issue (http://milw0rm.com/sploits/2008-crash.doc.rar) affects also the Word processor as shipped with OpenOffice.org. Affected OpenOffice.org versions: openoffice.org-1.1.2-38.2.0.EL3 <= x < openoffice.org-1.1.5-10.6.0.5.EL4 Note: !! openoffice.org-2.* releases are not affected by this issue !! What's the strategy in this case -- will we need a new CVE-2008 id for this issue && the openoffice.org1 case? (And if so, could you allocate one?) Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.