-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: OpenOffice_org,libwpd
Announcement ID: SUSE-SA:2007:023
Date: Wed, 21 Mar 2007 11:00:00 +0000
Affected Products: SUSE LINUX 9.3
SUSE LINUX 10.0
SUSE LINUX 10.1
openSUSE 10.2
SuSE Linux Desktop 1.0
Novell Linux Desktop 9
SUSE SLED 10
SLE SDK 10
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2007-0002, CVE-2007-0238, CVE-2007-0239
Content of This Advisory:
1) Security Vulnerability Resolved:
libwpd and OpenOffice_org security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Several security problems were fixed in the Wordperfect converter library
libwpd and OpenOffice_org:
For SUSE Linux 10.1 this aligns the version with the one shipped with
SUSE Linux Enterprise Desktop 10.
- CVE-2007-0002: Various problems were fixed in libwpd in OpenOffice_org
which could be used by remote attackers to potentially execute code
or crash OpenOffice_org.
This library is shipped stand-alone in openSUSE 10.2, but included
in OpenOffice_org packages in previous distributions.
- CVE-2007-0238: A stack overflow in the StarCalc parser could be
used by remote attackers to potentially execute code by supplying
a crafted document. This was reported by NGS Software to the
OpenOffice team.
- CVE-2007-0239: A shell quoting problem when opening URLs was fixed
which could be used by remote attackers to execute code by supplying
a crafted document and making the user click on an embedded link.
Also support for the ODF - OpenXML converter was added to the
OpenOffice_org packages.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of OpenOffice after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 10.2:
2a9af072e8368ed8c0e5db589c4a22d5
72f30dd775b281aa45fa19920d4d4497
babbf2585f90a0aae16807b288673504
f2f5a4c9589fa575a9498044d1a49d03
ad1120bb3611148d4b4134b32e5c9eec
cadf625739907eb685306dcb3d083ebf
c02b7a5ea74d0baa7b12a3dd2eea6564
SUSE LINUX 10.1:
d7533eb1aaa254395e0245a1b4019341
009e2aebb099281672cb7f9b70c0db10
78faa57a6fbf164fa65eb596ab3d0190
cfaae9dbc18f87524066c63a25a5b3cb
1105dcd143adfbd090288ad27e9c8da2
56c40e9b6824ae3ca3d123f362a5a92f
4d44008b5c2cc553548e334158220d0f
cc0dc168269a45ddd0c114965b9a6c56
cb72c893e4ea60968ce42ea8ef011bd7
dfe22f36f4b3d7aff30c742393bd893d
321616c6a193027477056d5b417e1781
d8605f1d8bcf592e59975194fec00142
c1d1a27021f26cb106b6376c89992522
6b9f7fab3f4d1355b97698d582b95587
c01561728f5d498d1b8ee5232b671fa5
c0c5b6dc7f5df2305c6dab0ed2ee4a0b
9f911d9257e8d4504a1fee9f3c1287b9
f241e376c47c9ce1adddfe52e572831d
7435d6499436d16c14b7237517c032ce
8168a44c2ac4192a5c181d1fad0b7169
e0202b13638f4acb8070ec2edb1e8189
f09d99292b549a64461fd92cf33ff5f8
c245ee3672d79e4befb73e708b3e70b3
0fd0cc2d7bc864f257d665d8473f3f4e
61201fbb62e4e0f56ccb3b357f44cfca
5663111aae630b36841310cba6db55f3
8d5836c647bf78676c14414c123f4858
77553c865df0d7dca5d2e7ed0f82b3a0
e8d546844421eebffe58cdc645ab6bb2
d2ffbeb6427890bec20f1176b9650467
58d48ddc4115b4f6ad29ab77f1cadba0
267724851c91881fff125df8041f4cc4
227d2c5991662871c31a6089d1fa01ec
05bbfed2edd6f0bd034f121e97282fd6
063f03b909b71017a33385c58a5bc40f
27c022b107e2fad7aa4382c431b09335
df85fbc2f61f45244328944860e90cfe
0fd50ee5fe5180e3ab9e5a8863b1fe41
585779050216d76d3fdc61dcb87756b6
9948a3c6fe923d1b49c0c32a0945be6d
9200ab125263a45b9d60fef03c55d5af
c6407f6d58eab0882854740ac55277c5
5a3a13df49340458817b3730623dbdce
df5ae66ffe5e5108da697871156cbff5
df6b1fdcfbeadc187af969236ecb5635
60390c99d68d9e4bcb8721213582a5a4
2c1901b43de3d5ad13443ea6cf2de516
bb7bf0ec0d243eb2d7726b472904f8be
07010f8ee28c3ed3fbc6b5c45eec37a4
d7d1e73876c1f9ce41ff733e48dc8e1f
14e61b81f2da392d90f36e49e6331dbf
4fe4504f405ba6151ba3ac7ee49c3172
7e4dfeab50b23ed7a3113be7a6b156a8
a44dae4a186a610827d8262064ecce5a
SUSE LINUX 10.0:
daf50e3dcfcc21ef80ca59cd730e7733
0908aeb25b6aa9638d44996f5837d875
d101a407afd4a19e5d2240475dc2974d
fbeece1fad5a8832df4b1cd05465691e
7954a771aae3a099b86a9c2c81a5a7ac
446b15214a52bafcb16b70413ff76bfc
a8bf434202af39cb2a54b6181caff6e4
be19917020061c7756c9deb97dc9a7aa
4e8d908c40209290dc52a1f41e7735d2
f75f652b606ee51a3aed06cc203a82ed
67e142cbc8dc07719014c3344a3e43d0
7748ff91d45dd2a535193e9f80a5f9e5
fe141d5f8240ce6b751f5d9c67337c27
f2f201a58434286598f0bf13d35e9839
0e3d3c2eca587d580bac44637d591a04
ec7ce5153548779dbce4324cfc21b088
321df6d876e182ee003a2ebb6b43f965
ef368c9d5b04a6461a27c633c14e66cd
560a4de9533dc4b00d3905641f51b814
857c76fb5d00238ba3a7571f31a44bcb
a09830b7f91e6adc5dd2cc5c85ae2f62
c40a52f2245c0d1b9c7e098b73d2241d
e8a35dc8733c61ff82ba4c79434484b3
aefa7eafd187f38548642c2d20264334
3fb2f0ea676eacedd11819fffb33db54
b05e81f2d7500fd3c5b4044fbc1770e4
507477f68fcf29a078759e3b4fa0b8ce
dfad18ee128cf4e2ea8bef41787e6628
9920f20a0dd06e3ec66ab54f57ba3afa
10294b1e938a66ae2dd662c08d283b00
b96c74bffb0b88512c882afa8427fdca
3d95aee56fd4b8c2afd0222c8b2d9ed4
e477c6570f7d4b2221241eba60d447b0
a3b4db853adbc7dfb59320449f02cea4
ff427c1dbaa1bbc0946ed4bb9eab2411
275b3b941540e373ac479cb43c539499
3b62e77eba1b15fe5a3abd66638d68fb
b7655adeb11dc42fba851d9871c856b2
aa79318eec4efc5479c13600841071f7
4eb75711c4504d9d63edc19baa57b51d
93bcd0fa175cffda5f346bdfcd155d87
7fc2f100a4bba449582e5635af51cbc1
20d179d17303c2592ac0a8a746d3a2cd
bda31e02fcf0b84ba8441c9c1dad6465
e40724599c441056eac6242c50f6e184
SUSE LINUX 9.3:
3d401f97c52bd951bf0f12dafd8a5f62
425d7fbb0026cefbd4a4c2e397d8190c
68bfa745291616fd868a0b7cbf95af99
11adcd616dc3726ede3a5d3f6ef7193f
7834b7c6e0e90b07fa4d6a7ad04ee0b8
b095a9cd0b54197e04d88b0205aa62bf
434a14813a0d0c6bab5c4e453d7ebdba
ca7590d2b273323c7709af49d065f563
e3baf8b76558d18d6191db55e43a9401
51968f4497bd27cea3d327197fd8dcad
8fa92a6ee02cfdad5929ac90e5509a3f
b59c72ebd799292c782d924988c86560
780672721174087715431494136751f4
fc3c1879bab3ea3191d174c829e98a09
50b4151fb4ffc14cfe4f37acbcbf072c
d2f37ecce322145cc2af142a2b7acda9
66fc79960adb3709276a6e0be3453b4d
76ed8d644f50ca1c33dc92e2b67ddbd7
6dbc621e0abb92fa44127423fa41e239
d53a758cd57f36c21d7832cd5881be56
40fe55b170656b86f1d821402ace1d41
58036435751b74b09baf2d6c870304c0
602383dede3f9601ed5b0d2c3fe89d95
36ac059a9aec6482f801e3662f1d1c01
0cd3fc86ce54b960289fabda77e27439
8fedf5c89cd730812041db3f62ae58f5
c4059951210c2e5510c0d0495a3cd58c
35ab4ffca257414aefddde8915301b05
1cd3ad97a081c87c69cead51dbdfcc37
97239440907e41e1c7beed973259927f
d326ede0a93c1039ddfee8740df82dee
8f239372174c8e66e6e7d6847b65f53f
0c0469b3cef0fd6efe8bcd4b81b134de
830adbe3c497b73238a635a679059f90
986272514a78a2022ecf99fc7b613184
bdb6a5cf0e667e483716b5c7451f1a73
431a8276a904305a4cc3b45cdd552500
48e11420aa6310f46c7ac1fb7a35df0b
a48ff519fb2cdf6bbf9c8e53a6df3b82
dd3412152e46a9ad2c1e25a59a5398ac
59be3b63e52c4d608982b60678852e15
66407d4150e0f751cba9ffbfb7ae380a
882c7fc9a442287eb86791874ad7c66e
6944874f6901ee8e94596b4ec8651d89
fbbac0a6f2534127c4fdfb2e88456f91
76465851513b3a266a7019ba538cbdb4
45ee4c5d3e366abf516fc3ae57ea055d
9933e1ea662526ab7d1948e7b3d49ce6
085b94c16b2c6d1907a5869a21b22d33
aaf631eb0d279e065ccb30bcd2bd3bdf
6feb77e9d006ff2b310a874a06baf6e6
c13f4b8f87ffae25ac1ab3fc86f2b008
676671efbe38fc213b2467e8fe27a39b
b1516b08ea4a43a5b7b740213eaa7c33
67f3cd1182a47d23229059e69d590009
Power PC Platform:
openSUSE 10.2:
ef5e7647c3119475615264b25837b560
61651ed5645c144e3ce4c3e0ef3478e8
0cb297ce08ff152a621e6a7be764f495
50e08a0e07e9093a10c880c1756b0f44
55ef3359735578b9b9927a5473de38e7
ddaf3c1d9437a086e25d0996c2fb0b08
749edb6cf4293f983d16d3d08d268cd9
SUSE LINUX 10.1:
9c6dce1f5d6249b3c3c4876c86c8a64b
a4217a26e9f2ac2210bea179f40fab7d
09d36b66a917c76259bdaf6acfe515ad
138e6fc1e5ddfaf706bca3ea8c5d42eb
83d715467f9f7c8e6d3b8d81f56ff8f5
9ceec70d0bced102b6f4534d37520aec
03e84c9c2c6f00a04d5bc51dbc754c21
fab40d7cf44b9570dbac82920cff6c9f
8cf1908adc5406aa6db821fe74ba6162
cde1c323148a061a1b29a056b4c0260c
a2ca0d0d74589a277159de47bcc38292
a1fb699f2aa071d2bf93eba873b8dc75
ac44d81e83fce7bce5c72e2ba3de194b
2b86b2fc9f32ce1a09ec72be5e95f94b
4ddde7bcc75bda13cd97eadef989e56d
25efca68f27e58d486a1396fb6e01148
1a5ca9dcbd56b08588604b24ba9c3329
1d3e3fc5d1780a77440a92e23afd9c08
37512fa7bfae1f44077ede96253bbf9f
7e5d29f310fed1e704f010ebf7fd4a94
fc0e46817a6ef18ec38ada0b71a45484
6a90d4bc8caf09e0426f3aa3dcc19a80
1b34147033d27ac0ca5e6d9ea853a3f4
f0083fa3c922cb3571d08eeddfd0feee
4969acec66079bd018a0a8daa78a4066
4eb5d8b9e7000ce53eacc75eaeedec80
3008616363f4c20e239064b0e3fdf23b
a078e38dbce4f5519a0872410d268b8d
ff7982f5de6e0c4c8ab296777629a4bb
bf61834d43d5633a90c7eb5a56984d7c
794df46f8566e1ca7f3540d5b5095756
241a4b7d76e4caf9506230f15e240db3
eec36089c9417eb02e0be548dce33c14
1ab457869109a0bee5b7998a642a0cd4
37ca20d66a0600c6270997404d85988e
c55e9a93ff9321c6a0fb809f4eadbe49
e98e5f1d0ee1feb79780e06479edc3e2
769730f4c00958fcc4ee86520a3bc052
3cace3fc035a75ad17aaf84e919160f7
1372064aa3bfbd25c13b989a907ceed4
c383e1cb41718a8ea7dd37c2e6e5eefa
dae756fac561e35434759a2c2082d364
60a949dae23eeedf21d1045ff2ef3d19
0ae537a3e6ff13f1aeaeab92b9a02405
194510f325899490845c6f6825b78b93
7ce3641365ffca0194828f85ece4ab88
9f5233575c5200aee3e79faede979ae7
b7397aedb9abc1cca20eaa67bd2efca2
5ad29f565ce8065fa3962ba8d32edeaa
b1cd36bdbb07ac8600385c71444219dd
fdcab2ee3182504f06d4ff37a0e3d167
a531bd249ee57d928f1363b894e641ac
9935289a9b010aca63423bfb144fa2eb
882e8c4febfb1e33d56e8e67b09c3a32
SUSE LINUX 10.0:
cecd47848f250ddd997db3129d27ada2
373bf56d0fba544669124dc2a07a5890
33d3052f8566aa3b569ee09265d4f633
649011706f146e21d9449891c84b5bbf
4e975a58995b37b7124c28c4043acc92
41c649dbaded150c9e2fd35e1db78839
3975d6fb3ac15954a58428ed8b7e7186
01d3561ebdd5bd35210ce936255b62aa
cd3623f2e0c62b988acf475bffc81373
781d2c9487bd963533f6a0d089dea4a4
f23daff8d93fb7b05906a72f213c555f
552ae155bf3c183ef02791e015facf03
a4b8e0f3874c7788d5b62055bd51752b
3c8c0d011356d77adf725cc751009502
e0a626b09ad3691a40cc43b9a66cdcfe
632536d2f411b50ee53cfc75da77e066
65555e2e265e7ef8f6786d21a0527f44
eed2177ac0f7540bcb5b33a8d8411079
7aaffdd96fbc46715c02d20ed9a8ab4f
b7a740d01f615ce4a4c1d9d31c22fac9
45dde4c57a2cf6e873667bca54436218
a2aeed78e10151cefa9b547cd74916b2
d6cbdfc83736feeb9beab1a3233b03b4
c7fbe3d045a8d0a69a246331d2cac9ea
59d89038a5d70847c39e635a6046836f
3da570835e020b525ddefa4f1ca0f614
051a8526c49a7b2b00911ea373edefdd
691a72b95b7029728a545e4c4ba8ea40
6dcb25c6aa639340d609f921307e9635
c5e6a24f7cbba8a950bce995aafb4c94
8bef349eb7f559ed09774b3f1afc9b42
ce7ab69d3a44be22b87da9a64bd5a5db
78bca75c7e8c48be2f29970b67e8ae91
4b58b1b1fe0aa20673ce10a269eb0c77
9891ce27f223d1dad6dc35b7bbc4c155
9c0eb597a9e5854c179bc071108ad756
09a3b79866abce34b3322722f02dbb8f
08fa57ce52a06c090fbdefec35332d02
d1cd3bf8912d7c345e93d040971a9989
12d7e0047ed4b7a96f76a29919789cb4
f91dbabfd59b816f984f25ca6e2808af
ffbcc22a366fd8d0febcc5de81c9831b
c93c58214854b7c815c225786338b247
297c78087f9646dd5fafc108fa9a5113
9af604a6e08ef5f3e271973460dbe3c6
x86-64 Platform:
openSUSE 10.2:
98f259a61a96b389d78f5c2379935f2f
e4940153d6b27bc542e0b19b6c095375
SUSE LINUX 10.1:
9283ee0bca8000ddfa4f65b5aaa63f06
8b6d9df8b3125b6f79be1426e9abb716
Sources:
openSUSE 10.2:
9e366e55b7982da2bb9546ea6aafbd3e
02859ccd6b23ef8abbffd3f2f2917ad6
SUSE LINUX 10.1:
48a2c08cc7c05cf03501add19de2f18d
86307019d42fd01fd791a49e936adae3
SUSE LINUX 10.0:
0c03bb57182d9a376b3ac180915ed118
SUSE LINUX 9.3:
5a36ec0584911db7c58fd1530c0c15af
e9b9a54cf8ef922cc475e9f8fb12d038
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SLE SDK 10
http://support.novell.com/techcenter/psdb/45b2a4c2c1b2b8002e0b1a73efd03241.html
SUSE SLED 10
http://support.novell.com/techcenter/psdb/45b2a4c2c1b2b8002e0b1a73efd03241.html
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/bf6a5b58f07ccb9ee5cb194c18620d9f.html
SuSE Linux Desktop 1.0
http://support.novell.com/techcenter/psdb/bf6a5b58f07ccb9ee5cb194c18620d9f.html
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
