Red Hat 9043 Published by

Updated openoffice.org packages are available for Red Hat Linux 9 and Fedora Core 1/2

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated openoffice.org packages fix security issues
Advisory ID: FLSA:154988
Issue date: 2005-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2004-0752 CAN-2005-0941
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated openoffice.org packages that fix two security issues are now available.

OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386



3. Problem description:

Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0752 to this issue.

A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue.

All users of OpenOffice.org are advised to upgrade to these updated packages which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154989
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154988
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154742

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openoffice-1.0.2-11.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-1.0.2-11.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-i18n-1.0.2-11.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-libs-1.0.2-11.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openoffice.org-1.1.0-16.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-1.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openoffice.org-1.1.3-11.4.0.fc2.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-1.1.3-11.4.0.fc2.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-i18n-1.1.3-11.4.0.fc2.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-kde-1.1.3-11.4.0.fc2.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-libs-1.1.3-11.4.0.fc2.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

8b3935db6ed8864aa0839971c272eacd4cb46963
redhat/9/updates/i386/openoffice-1.0.2-11.2.legacy.i386.rpm
b3bbc948ec2c261fe0b44bc5f6ffd0d38243c241
redhat/9/updates/i386/openoffice-i18n-1.0.2-11.2.legacy.i386.rpm
fc5a82e620de2fd69f3327382a44c6159c73087d
redhat/9/updates/i386/openoffice-libs-1.0.2-11.2.legacy.i386.rpm
b71dd5e5630c2967e78d4e9339075d736b6b6773
redhat/9/updates/SRPMS/openoffice-1.0.2-11.2.legacy.src.rpm
e93f1b81c245b1d5168256b24aa8c82f6dacb2da
fedora/1/updates/i386/openoffice.org-1.1.0-16.2.legacy.i386.rpm
1adaa0cf3764aaef0cd8a9597d24f217ee547d0a
fedora/1/updates/i386/openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm
2ebd3693673e0320c2d6407696949cf0fef2b9b3
fedora/1/updates/i386/openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm
d9ca1a29721ad845db6de1a01c6096163e54078d
fedora/1/updates/SRPMS/openoffice.org-1.1.0-16.2.legacy.src.rpm
a28d80af75d648060587326ef3872a240e339b87
fedora/2/updates/i386/openoffice.org-1.1.3-11.4.0.fc2.i386.rpm
ff7f301dfedbb042810991928ec59aee83c2b12e
fedora/2/updates/i386/openoffice.org-i18n-1.1.3-11.4.0.fc2.i386.rpm
ed14c1e035b9a1fa44b1c16812bae81894d74828
fedora/2/updates/i386/openoffice.org-kde-1.1.3-11.4.0.fc2.i386.rpm
06e156914d032b19deb05c27da73fd6901b45fe5
fedora/2/updates/i386/openoffice.org-libs-1.1.3-11.4.0.fc2.i386.rpm
a003e78128a72b0d297d0fdb5faf5e1793cd02e6
fedora/2/updates/SRPMS/openoffice.org-1.1.3-11.4.0.fc2.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0941

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org