SuSE: 2008-023: OpenOffice_org Security Update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                OpenOffice_org
        Announcement ID:        SUSE-SA:2008:023
        Date:                   Fri, 18 Apr 2008 10:00:00 +0000
        Affected Products:      SUSE LINUX 10.1
                                openSUSE 10.2
                                openSUSE 10.3
                                Novell Linux Desktop 9
                                SUSE Linux Enterprise Desktop 10 SP1
                                SLE SDK 10 SP1
        Vulnerability Type:     local privilege escalation
        Severity (1-10):        4
        SUSE Default Package:   yes
        Cross-References:       CVE-2008-0320
                                CVE-2007-5747
                                CVE-2007-5746
                                CVE-2007-5745
                                CVE-2007-4771
                                CVE-2007-4770


    Content of This Advisory:
        1) Security Vulnerability Resolved:
             various security vulnerabilities
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   This update of OpenOffice fixes various critical security vulnerabilities 
   - heap-overflow when parsing PPT files (CVE-2008-0320) 
   - various buffer-overflows while parsing QPRO files (CVE-2007-5745,
     CVE-2007-5747) (NLD9 not affected) 
   - integer overflow while parsing EMF files (CVE-2007-5746) 
   - out-of-bound memory access and a heap-overflow in the regex engine
     of libICU (CVE-2007-4770, CVE-2007-4771) (NLD9 not affected) 
   
   These vulnerabilities can only by exploited remotely with user-assistance
   and in conjunction with other software receiving OOo documents over
   the network (like a kmail attachment).
   
   Please note that users of SLED10-SP1 that installed the OOo-2.4 update
   already have the fixes.
   
2) Solution or Work-Around

   No work-around known.

3) Special Instructions and Notes

   Terminate all running instances of OOo before you install the update.

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv 

   to apply the update, replacing  with the filename of the
   downloaded RPM package.

   
   x86 Platform:
   
   openSUSE 10.2:
             43c574c7201d440ee91442dfa5a4dba1
             31c5ee83f73c23ac3dbd9c9f30637bd6
             6402015cc8512e9317862c8e70dd8f88
             a601d3151f47c7b79f56080dbded03c7
             97d8c9e1fb8deac9b82fbd9eeab9e623
             03479fedeae966712dbcd544c155e62a
             6c0ea85ea8611fb5c3899431033ddbc0
             48ad44c2efb76e2cf390892205f39805
             faaf987aab2c2341846fc6ca91257baf
             4e315822a936cee681c8bd0b6ac3bf09
             722dbd6766ca80c5e61699659eda9036
             60effcc4ea2b5fb17d2756a907b0824e
             7ad0b3993b0f7a2e37942a13bd48ec60
             840a930ddd49b6684a058dd94e7ec4d9
             b22a7068702d6d6c46698a0a309082e3
             69dea70431cb60ab00cfd779c270921e
             50497e3c69634b67869144d71ca7a0c9
             8a112890f8149c5b2247c618f644e223
             b9fb8444d8f1896b2d70679301d11eb3
             9b5add2338a1d5a781c75ca97bbf39f0
             70a0b9769743fd6c4f5db240d730fbcc
             49b3a1f23037199bc83cfcafb6f8a74d
             ebf74603de931fc2fc6aed04fadfba06
             b940b61ee061530680cb889123e3145d
             f557222301d4bac80a261a286bede6f1
             55ec1ebed590e12776f3690621763cfd
             74c191e6c5be69e50c08b489410e32b6
             1dcece613e7e2c213a8b812539af60eb
             74faa6390007d29be968fdb53e468882
             251abb1d97b7df3402c9e7c979215d37
             d41816bec8c45b0471f80f5fb184a3a8
             f35222a74aaa48ecd9b00cac55889e1f
             752b97b1eca86c71189cc1db2e27a49c
             a6dea251c5a73c5c131928e3b12490e7
             1ac1e73d1b52f26adb482fba618d92aa
             0a7096921ed524de5158fac1a04986a9
             2d49b3b23be74fcead9777ee5d9ea7e0
             e48c4c1edb37adc0201e76757b0225e6
             a83b8b082e922093d5d190e9175ef473
             ce529eec49ec9dc3596e356248a7d6e9
             e057b9e18b4c96b3a27546495b204621
             f3ba75a0f6ba03f9686086ea07513d2b
             2468f483cc5cd8b98b3e1cce7f7a9d4c
             79fabae12ecabbed4ff6876027aba6d4
             df39383775efa21f7a6097e0eb2c1084
             a41ad8076a1a1a08bf0d7f43849bac19
             ed237b2d5c6e1bec53fa2c68aaa9ea04
             c796fa4cc5aeb5ce59688a43140b0496
             8628105296e3aba706dc4c562ea5811e
             8d216a964bbdbee295e494f14f63cd0a
             c92ca8329b0b8fd4c08e94d1a5015585
             1587a419f3eb5d2f442dc392f08c1c8d
             106bc66f2e4e47685e61eb9ba9e726ba
             6600ae26771072ec01b3edb76b96ef0c
   
   SUSE LINUX 10.1:
             053780c198982bfad538b5b550cc88bb
             f2bfec2ec35be66dc085a2cfb4fe8ced
             7e6f40c71271f7100b59e11e999398b6
             dc05159cd2c9333f6b7d331d2fb8d7df
             16a6b50632369ab9e00b4400be5a7645
             c40ccbe3330d2d6be166977d450fe0d4
             632c10443e1e001e6f6e934cd920000f
             d7b5fdfc45f0c5017f878096bf7a66fa
             aa9b5a7f98b3d82f4ca7beea105e4348
             fc8914c846593647521c8073caabc2cf
             bf6455160157eca3b65b14e3c4437862
             7b5c2fccb88dbf474a37a0596391863f
             ca019619917c7406ee30709e3b1a6e13
             0f436ebd6735ebd80d8345c1a060ae11
             1080689f4afe29602377fca779f5f0d9
             0dfb8e850bbdb52ebb862988fd8e47ea
             8fa7e9b28e3e71419a9c0699e882ccfc
             9d5d7826811f5702aceb71df3b04792f
             c5933f77fd2a2c36ecd49a06603b2d2e
             56c9492e9fb11480c1d9d2b0e9018331
             d65ce8a9cc61cf5dd0e502f281acce14
             1951cd5e9ee62dd5de770cc873fe51c6
             4c6d4d0b347dd8f4372b43dfc3e8ce10
             f40ec1d38f053d94c93a2b2679dde942
             dde6e790f056a84a338d5215c6f11e49
             d28e6f3c5bdea1b876e85eba848b133e
             7caec251aa3fd3ae98fe96c05d18cf5a
             97abeb2ab70078550bb7a16805ea90ab
             5ba532564a0619eba5643d06ac691252
             c45d13f4e8b9317977fa3a7122bf2ee2
             a79e05c3fece09c8865d383062743ac8
             867f3cac0608b79193450632b6e4336f
             8822cf348e5e61efd507534d5d3e7801
             3c1f1e0649a18462f8b2915835661c0d
             1a5b83e19eeca06e3bfbf3ca00c1bbf3
             bceff0dac645913cc4abaa78b1a0ee20
             e480b5090f7baf50b92beb47e9a0e431
             b504c06ec243a8f38211d7ef9c86b1b0
             e8f59413438819890c4a446d14463edd
             e3de8838379402fb4566e567a962b522
             ad4a4604efebdfba74deb8bd93391656
             e1d9ce4a2a50db700c382bbebbad3930
             a50d8070234e94a802aa0ae3023d18d7
             e78b2f88c7f283d14ca2839661a182ad
             0e949a5ce18191883945025212ee47cf
             451c8169c4b3ae00ca39b49782a48952
             371bb041edae9156a6087b64358e72c1
             00914c9d326b61aae4e61991f19defcb
             5294331c401940e6983dc7a8996de86d
             58cfd8712288e3d2088e52aa176cbedf
             6193946815d208f699fa79b8fd379de8
             c7c5c38523e5f9f10631333b4e09c2fe
   
   openSUSE 10.3:
             c8686d43ea83c7de0e1b5a275598f7dd
             be5221029f6f014cd25166ba935af181
             c1d7764c6a75220e1b5868c64ee867e6
             ddf7388fe959b2daac02acaa85315eb7
             93ad7b66cf77fbf727f1d2637d134611
             ce63c5aae2eae7357a201069da15f2bd
             5ef9990252d9a0e9374a0c61ce0ddaae
             5aa7a947ff95acb615e77e978c5a836f
             f1f79e587f24e67bb0968e45c24fff0b
             970618b711073706710fd7997ebb0278
             adb1fee9fc486f9a35954a303d97d663
             8a019de05dd31e1f041d265426eabec2
             b049ffa86acc452ecb54c6c733e446ce
             ac6050b54332c81f76fa903a7652089f
             1ae0ad8f07fae0ba1388b72c078b870a
             c9b102f8ca7518683ba7af79b726fc9b
             54ca3f707bb7955da172d26e9b235cfd
             a45d7a39240c44da974e6266fcf8cb17
   
   Platform Independent:
   
   openSUSE 10.3:
             5eea1d3ddeee8a3c77c3b2d5047f54a9
             5e95d82ce32aac12cfe74a16d08c13fa
             ebfc9bd70eb803991ded9f38a712fb34
             3ea7c119b5cd6fc05ffe4eded854cd47
             459eb7f6aa000bbbb94de0ed0fec192c
             76f248e1d09c9f1f3a3dac97f01ae198
             4c594382769b80d2113ec21498a22670
             5d4ce6aeab5c278bf3ca156bb596218d
             33809acb76bc2bd189ee899192d8e752
             95f5f9f7f1d5a9db55d474f4b50872b3
             f115747588cd81157f06741c6ca2ced7
             7f2c03137c5be623d3b10b82f04bca2a
             6042f32c331c06657a7433662ee58fa1
             2dbca603b988f59b8ae3603523e633b4
             ba149b14c30d37f02bb91d181f1ca69e
             cd4a5af18e9c9f631ee5f34cc05b4613
             be1619f542e25f72225a2f6159b78582
             d4ec16f11ca8f5d0ee05cd6dd3cd699c
             767e6f73300d324b5b5e39f335e6d501
             934d4a50ea7543e5431ff795e9a88158
             ee25167c4779236ffac3c0fb85705c01
             6a961cd8b188b6a71e2650e860222b03
             92c2158dc12b4b31d961330aa3134dea
             9901e44e661000a7283bc2a98480906d
             a0fabc94dde7bac6b064d9c04c511646
             43884e5751a31f0f6bb83e232a824118
             8f8e8ab94be535e7266c16191ff384c1
             38face8b869bf358d7ac7970a141cd80
             c603f6a73478d0db80dd5b32e2fbcc42
             937e9b5c5f2766aa64d2dcac85e01a38
             0a74a646cb696af2c837d02a221959c3
             c2821d189c9e7ce229903835d705388d
             572f4e10948f2a2427db2135bc2301ed
             0d77e787785147b6fbeb20a153b20630
             50ca18811b67b11eff46add4de68f188
             eaccae83264bffc98a7de7f2e8196e51
             2674b2167063397e3a569b319ed0e357
             1b2f8c9f3b10d971e51a0acc0dcca016
             42fc9fe0f7e44f891f6fde66de2e57e4
             484d1ce136fec34c1b0fdb6f81b85dbf
             2b3578883d53a17540807cd34cb0f13c
             bda184b5f59dc1cab6368da0d0e92d1b
             3fa2509192158f10a67c8170c06bba33
             1f1f36015357a64d66561011dd1ea88d
             56c3e9a41a3793ec39b7dd64ee64edc3
             105e3bed2a8aa38abfc371d4521834cb
   
   Power PC Platform:
   
   openSUSE 10.3:
             24df5cd13197319f46bce9cb2d34a21c
             eb32738893bafd2035271c50209a5192
             1ddf930162365dc110096b171a3dad24
             a3f734002b6565bbd17e09788fa36a6d
             4900c9cbfc1a6e28db8c3d8bdf6ff3ce
             04e12349f8b4ad96668618f0cb5a7fa8
             a55d25b5c8699ce33afdf331f3e2aaa5
             b89bdbd1e62176fad80a4f549825daa4
             b819fa124b3170bef61865e90bf6c59d
             33b4975f052bc47558f986da054f91e2
             5b0079658bdc38857b5c7a8ad6065596
             c70565a52b473f1f2fa23fe36f0b99cf
             adbc3f39af0e192728f9b999e35aa65c
             74de67e68aaf6971dee294409ab4476e
             535129dc5e6c983c29b6fdfb5eee1a4e
             8be6efc1a971c5b399dcdd3d295cc7a4
             e67ec45e7ca28049c7d8f6a6064a256f
             d2081eedf5c4dbf4482f0107bb840788
   
   openSUSE 10.2:
             d961dabd72bceb816f91bdac5150b108
             aa502ccf683c22bd7e095fc94512a4ee
             f4a4792bef94f59878ef3f16f9d84657
             c910db11ea56eec75b8ab8b5bee62f34
             f67c175c4df7050a3f32e61e70a33e69
             b45b7c915f315e24c0c283de73f25c5c
             02eb05dbe9924a62edab71956a280341
             3d5faa86f195cf805d272fe56e2640f9
             b77581b588253c9817b77877ea43cf0f
             43a4ff9699ef734a3fa8a050489bcfbe
             e4cda13b80d4a6bcfc030e8f79dd7009
             119ef9f76f6a82fe57c625e7eee02208
             105e92c73c23dfd1589e0adf61b79076
             8d735d5e20a9651d1a457ad9a994adf6
             0a97af1e299a8fa7782f21fb02a65844
             28698af3a83a8aed73b59d76f09f914d
             f60a2ba24b1fefc172f54321a5b74b98
             7bc5a9fe51893cfa5f260f2cbfd41fa8
             699fb42b02d89d9ba6c5fd71a0966f23
             4669e537ea23577d64822abff358ef2f
             6ff3d0e4c0ba2f0a4672a635f5efda04
             7c00d8bbed381cbde454561a2fb7bd5f
             6426944834c136869bfd277bee5b92d5
             03fa1d78d0e34a7533311825cf1d7e5b
             e877b2a01e47ea479de23174dd02b321
             85970c84a01e489009b42e7853cfe930
             a1bf618c1d39ebaeaec6020b693ce9ce
             d653e2a3309c5695c8adc5fd9fee5082
             15fe6ebf42811be01322cd0e5840e600
             c81ed3344315bac01608041155cd2129
             27233e3d4b3946acf4c53335a0bd7a27
             751215f39c7fd3696e9b56362b799ba9
             1508a1df8ffbf3cb0c21ef4ff91b2508
             2444ab5d25a9389f82ca98b9c22534b5
             af54e420a61cf91743b93a8d1608dd5d
             eb06c02fc34aca05fa0da5c8d8883101
             f897e85535d691b9e7148ecd6b2b1b4b
             31ef785922cd35593c2a1e6a133aa6cc
             0633077e1dc611876eb84c78b0353c78
             97c6d81a58da85aab84ae08ee7ffc768
             df6a44e57bb0007b593b7fa750d0e043
             856fd1ebad660c3d313274dff9a9363e
             11ca53eac3f864204e991681d30e1384
             ab809f7117d3f2c86ddf63b732a1d071
             931024221d60428f4a04f224018b65cf
             66a619a3d538c7fa39ed1336a77e691b
             69ec30f99f394d0cdd65a2f2d6b612a6
             8371143db904b353d304ebbc737b9ec8
             ac77d8aa6bd37ad349a8726acca57264
             1b3127e6c66313b429106b0c71828b4e
             15f9175f0cf090eef4d59e8c23d9d61c
             f7cd80fa316908b7a3b08a879aa90aef
             7118341a7cc7832330d93f998707f543
             b32baeb62c4083ac050cab4d5233b99e
   
   SUSE LINUX 10.1:
             d852db70e250f5a8fdca05a6782b0fed
             5a35affd722e1d06b37d3bf830663161
             6509c45270281cbd933a8c3728971e70
             254d251d8bb448c2e5c716ca3ea352ec
             11e394af947646f9734a5c150354ddf5
             ce7b6e60516ced55de621d939019c124
             e1b907f417b6cf8af00fc982740c824c
             10a949636cd4928e42e5c8f302624527
             72a8bdc9eb8956be559f2bafc08be167
             80fe75eb8c4aef426ac6d2370df33f8d
             7040eba78fa04fdd032fe7b663de668f
             e68d09ebd37dd28e99bf292ed0af5d21
             5ebf19d8cc5e4400948711af7d4f321d
             4316b427ccff3687925d05c50b29d952
             60211f4526905c4a32c65fb6f665f217
             e7919b6f387773535011b1a3eb017588
             19858640940df10044edf710c6988dca
             3691f17f0e66f567b1560b0e30c8b06a
             4b72a6609d0e3866634d18cf2bc8ddc6
             e3f04ca460267df3f463f4a2fc1e2048
             7113058573abfc3cfb59e66299b84503
             ff7bc2ab4498475160e099aefcb0ec90
             cc62f0a4af130b48c61e94100613bab8
             8aed99f0432c4519f22fb3eaa322a788
             c2063f3dbf4d9ad2272e0ccf9b4d0be2
             ca16d2a75a278827d8e98af9ac47bdaa
             22dc65392d9ddac481343e6b3d6f20b4
             eec41c744dda7c7c4ac2913b56d4993a
             1a1fe7f422d65f9745324ede5fb75c08
             c04d26377bb6802c753508754cc692fc
             6ff5af78b0cde8d4c1c01df89a009cde
             94ee47f248a90b0bde56083d113edeed
             fa68fa882c439822616065e995133a74
             813ff662c8d63aed6a08a784a9f9dd0e
             ec59aa47dec2c56943aa8601b361de08
             fcd63125bcc125803023a16cf6b2d28d
             54027b48181f227a017ca5669c24974f
             addbcfd230495b086158175e09ec6720
             96891dae6dc0f82af5f801a48297aa2b
             f65b021ac9b9e706d23452d95ff689bb
             2e36284079c996bec89a29e0f1c21ee7
             78a8f30f9cdeda5158dda31e381d38fb
             6ef78585f62a86a0344eb8c20bb36b3a
             fc6668341b262f2d89057bc46c858134
             b6a58b243b4882ac4f3718d9e07e5e89
             c70b56d0159722df9251904c9851bb52
             96a5482970c6ec1602d203f6a749f6d2
             8b868865516bfe4aeed003bb6a4e22b4
             2a6dc9b065c68bdbb55e801a09f5d15f
             0314e6b20ec02df6776eb05f5091803a
             2fb62d621155980046217f4dc93fca14
             fd2e9ad671e106ca47337f3e6a908cb6
   
   x86-64 Platform:
   
   openSUSE 10.3:
             2ebed3ff9dbaf7bcffe66c83b2ae2f12
             6f48bc102e4d74b43fedd40bce829e16
             3aa5979d63dd1b1e3da0acd11ec26b83
             a0cbfd4e76067741eca502f2677dbc64
             3178b2d4cd9213a0a775474aad53d9f6
             2e25d20f787de6f1a48937106654e465
             f32252abeb829ca22ab7d602152f8148
             077c9ab06f979a666f5e85343bcdeca5
             013621f793e0cfc170dc7cd648f6601a
             349866c0e1926b8f526bc1be06c93624
             9e5733af48f74cb9f7021bbd76e73271
             2a52fb5278df6052167335d66235ee38
             2ea5361fd1bf9e7965ed48c41770abcc
             f7f1b4c3694aa8f5ce7d44ed6a2c8649
             5a302027535d0f346f7bddbf40f2a46d
             55ed30939fe85243e90dd48a6b0c748b
             40ccec9ac7616d8b14f523bddd1109d1
             a4071687aab06c971f059dac40575a1d
   
   Sources:
   
   SUSE LINUX 10.1:
             73d7a831ee773da36bc2e01830e9f503
   
   openSUSE 10.3:
             90df6baf5f12ae3e3b6a4a9d1419e894
   
   openSUSE 10.2:
             b85623b728dc0637cca5dc01648f2eea
   
   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:
   
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.html
   
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.html
   
   Novell Linux Desktop 9
     http://support.novell.com/techcenter/psdb/f6a476d94870d717c3a93c69ce56d196.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   Please read our weekly security summary.

______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify 

    replacing  with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made  using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team "

    where  is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig 

       to verify the signature of the package, replacing  with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@suse.de with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum 

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@suse.de), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    opensuse-security@opensuse.org
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    opensuse-security-announce@opensuse.org
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: OpenOffice_org Announcement ID: SUSE-SA:2008:023 Date: Fri, 18 Apr 2008 10:00:00 +0000 Affected Products: SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3 Novell Linux Desktop 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 Vulnerability Type: local privilege escalation Severity (1-10): 4 SUSE Default Package: yes Cross-References: CVE-2008-0320 CVE-2007-5747 CVE-2007-5746 CVE-2007-5745 CVE-2007-4771 CVE-2007-4770 Content of This Advisory: 1) Security Vulnerability Resolved: various security vulnerabilities Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion This update of OpenOffice fixes various critical security vulnerabilities - heap-overflow when parsing PPT files (CVE-2008-0320) - various buffer-overflows while parsing QPRO files (CVE-2007-5745, CVE-2007-5747) (NLD9 not affected) - integer overflow while parsing EMF files (CVE-2007-5746) - out-of-bound memory access and a heap-overflow in the regex engine of libICU (CVE-2007-4770, CVE-2007-4771) (NLD9 not affected) These vulnerabilities can only by exploited remotely with user-assistance and in conjunction with other software receiving OOo documents over the network (like a kmail attachment). Please note that users of SLED10-SP1 that installed the OOo-2.4 update already have the fixes. 2) Solution or Work-Around No work-around known. 3) Special Instructions and Notes Terminate all running instances of OOo before you install the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv to apply the update, replacing with the filename of the downloaded RPM package. x86 Platform: openSUSE 10.2: 43c574c7201d440ee91442dfa5a4dba1 31c5ee83f73c23ac3dbd9c9f30637bd6 6402015cc8512e9317862c8e70dd8f88 a601d3151f47c7b79f56080dbded03c7 97d8c9e1fb8deac9b82fbd9eeab9e623 03479fedeae966712dbcd544c155e62a 6c0ea85ea8611fb5c3899431033ddbc0 48ad44c2efb76e2cf390892205f39805 faaf987aab2c2341846fc6ca91257baf 4e315822a936cee681c8bd0b6ac3bf09 722dbd6766ca80c5e61699659eda9036 60effcc4ea2b5fb17d2756a907b0824e 7ad0b3993b0f7a2e37942a13bd48ec60 840a930ddd49b6684a058dd94e7ec4d9 b22a7068702d6d6c46698a0a309082e3 69dea70431cb60ab00cfd779c270921e 50497e3c69634b67869144d71ca7a0c9 8a112890f8149c5b2247c618f644e223 b9fb8444d8f1896b2d70679301d11eb3 9b5add2338a1d5a781c75ca97bbf39f0 70a0b9769743fd6c4f5db240d730fbcc 49b3a1f23037199bc83cfcafb6f8a74d ebf74603de931fc2fc6aed04fadfba06 b940b61ee061530680cb889123e3145d f557222301d4bac80a261a286bede6f1 55ec1ebed590e12776f3690621763cfd 74c191e6c5be69e50c08b489410e32b6 1dcece613e7e2c213a8b812539af60eb 74faa6390007d29be968fdb53e468882 251abb1d97b7df3402c9e7c979215d37 d41816bec8c45b0471f80f5fb184a3a8 f35222a74aaa48ecd9b00cac55889e1f 752b97b1eca86c71189cc1db2e27a49c a6dea251c5a73c5c131928e3b12490e7 1ac1e73d1b52f26adb482fba618d92aa 0a7096921ed524de5158fac1a04986a9 2d49b3b23be74fcead9777ee5d9ea7e0 e48c4c1edb37adc0201e76757b0225e6 a83b8b082e922093d5d190e9175ef473 ce529eec49ec9dc3596e356248a7d6e9 e057b9e18b4c96b3a27546495b204621 f3ba75a0f6ba03f9686086ea07513d2b 2468f483cc5cd8b98b3e1cce7f7a9d4c 79fabae12ecabbed4ff6876027aba6d4 df39383775efa21f7a6097e0eb2c1084 a41ad8076a1a1a08bf0d7f43849bac19 ed237b2d5c6e1bec53fa2c68aaa9ea04 c796fa4cc5aeb5ce59688a43140b0496 8628105296e3aba706dc4c562ea5811e 8d216a964bbdbee295e494f14f63cd0a c92ca8329b0b8fd4c08e94d1a5015585 1587a419f3eb5d2f442dc392f08c1c8d 106bc66f2e4e47685e61eb9ba9e726ba 6600ae26771072ec01b3edb76b96ef0c SUSE LINUX 10.1: 053780c198982bfad538b5b550cc88bb f2bfec2ec35be66dc085a2cfb4fe8ced 7e6f40c71271f7100b59e11e999398b6 dc05159cd2c9333f6b7d331d2fb8d7df 16a6b50632369ab9e00b4400be5a7645 c40ccbe3330d2d6be166977d450fe0d4 632c10443e1e001e6f6e934cd920000f d7b5fdfc45f0c5017f878096bf7a66fa aa9b5a7f98b3d82f4ca7beea105e4348 fc8914c846593647521c8073caabc2cf bf6455160157eca3b65b14e3c4437862 7b5c2fccb88dbf474a37a0596391863f ca019619917c7406ee30709e3b1a6e13 0f436ebd6735ebd80d8345c1a060ae11 1080689f4afe29602377fca779f5f0d9 0dfb8e850bbdb52ebb862988fd8e47ea 8fa7e9b28e3e71419a9c0699e882ccfc 9d5d7826811f5702aceb71df3b04792f c5933f77fd2a2c36ecd49a06603b2d2e 56c9492e9fb11480c1d9d2b0e9018331 d65ce8a9cc61cf5dd0e502f281acce14 1951cd5e9ee62dd5de770cc873fe51c6 4c6d4d0b347dd8f4372b43dfc3e8ce10 f40ec1d38f053d94c93a2b2679dde942 dde6e790f056a84a338d5215c6f11e49 d28e6f3c5bdea1b876e85eba848b133e 7caec251aa3fd3ae98fe96c05d18cf5a 97abeb2ab70078550bb7a16805ea90ab 5ba532564a0619eba5643d06ac691252 c45d13f4e8b9317977fa3a7122bf2ee2 a79e05c3fece09c8865d383062743ac8 867f3cac0608b79193450632b6e4336f 8822cf348e5e61efd507534d5d3e7801 3c1f1e0649a18462f8b2915835661c0d 1a5b83e19eeca06e3bfbf3ca00c1bbf3 bceff0dac645913cc4abaa78b1a0ee20 e480b5090f7baf50b92beb47e9a0e431 b504c06ec243a8f38211d7ef9c86b1b0 e8f59413438819890c4a446d14463edd e3de8838379402fb4566e567a962b522 ad4a4604efebdfba74deb8bd93391656 e1d9ce4a2a50db700c382bbebbad3930 a50d8070234e94a802aa0ae3023d18d7 e78b2f88c7f283d14ca2839661a182ad 0e949a5ce18191883945025212ee47cf 451c8169c4b3ae00ca39b49782a48952 371bb041edae9156a6087b64358e72c1 00914c9d326b61aae4e61991f19defcb 5294331c401940e6983dc7a8996de86d 58cfd8712288e3d2088e52aa176cbedf 6193946815d208f699fa79b8fd379de8 c7c5c38523e5f9f10631333b4e09c2fe openSUSE 10.3: c8686d43ea83c7de0e1b5a275598f7dd be5221029f6f014cd25166ba935af181 c1d7764c6a75220e1b5868c64ee867e6 ddf7388fe959b2daac02acaa85315eb7 93ad7b66cf77fbf727f1d2637d134611 ce63c5aae2eae7357a201069da15f2bd 5ef9990252d9a0e9374a0c61ce0ddaae 5aa7a947ff95acb615e77e978c5a836f f1f79e587f24e67bb0968e45c24fff0b 970618b711073706710fd7997ebb0278 adb1fee9fc486f9a35954a303d97d663 8a019de05dd31e1f041d265426eabec2 b049ffa86acc452ecb54c6c733e446ce ac6050b54332c81f76fa903a7652089f 1ae0ad8f07fae0ba1388b72c078b870a c9b102f8ca7518683ba7af79b726fc9b 54ca3f707bb7955da172d26e9b235cfd a45d7a39240c44da974e6266fcf8cb17 Platform Independent: openSUSE 10.3: 5eea1d3ddeee8a3c77c3b2d5047f54a9 5e95d82ce32aac12cfe74a16d08c13fa ebfc9bd70eb803991ded9f38a712fb34 3ea7c119b5cd6fc05ffe4eded854cd47 459eb7f6aa000bbbb94de0ed0fec192c 76f248e1d09c9f1f3a3dac97f01ae198 4c594382769b80d2113ec21498a22670 5d4ce6aeab5c278bf3ca156bb596218d 33809acb76bc2bd189ee899192d8e752 95f5f9f7f1d5a9db55d474f4b50872b3 f115747588cd81157f06741c6ca2ced7 7f2c03137c5be623d3b10b82f04bca2a 6042f32c331c06657a7433662ee58fa1 2dbca603b988f59b8ae3603523e633b4 ba149b14c30d37f02bb91d181f1ca69e cd4a5af18e9c9f631ee5f34cc05b4613 be1619f542e25f72225a2f6159b78582 d4ec16f11ca8f5d0ee05cd6dd3cd699c 767e6f73300d324b5b5e39f335e6d501 934d4a50ea7543e5431ff795e9a88158 ee25167c4779236ffac3c0fb85705c01 6a961cd8b188b6a71e2650e860222b03 92c2158dc12b4b31d961330aa3134dea 9901e44e661000a7283bc2a98480906d a0fabc94dde7bac6b064d9c04c511646 43884e5751a31f0f6bb83e232a824118 8f8e8ab94be535e7266c16191ff384c1 38face8b869bf358d7ac7970a141cd80 c603f6a73478d0db80dd5b32e2fbcc42 937e9b5c5f2766aa64d2dcac85e01a38 0a74a646cb696af2c837d02a221959c3 c2821d189c9e7ce229903835d705388d 572f4e10948f2a2427db2135bc2301ed 0d77e787785147b6fbeb20a153b20630 50ca18811b67b11eff46add4de68f188 eaccae83264bffc98a7de7f2e8196e51 2674b2167063397e3a569b319ed0e357 1b2f8c9f3b10d971e51a0acc0dcca016 42fc9fe0f7e44f891f6fde66de2e57e4 484d1ce136fec34c1b0fdb6f81b85dbf 2b3578883d53a17540807cd34cb0f13c bda184b5f59dc1cab6368da0d0e92d1b 3fa2509192158f10a67c8170c06bba33 1f1f36015357a64d66561011dd1ea88d 56c3e9a41a3793ec39b7dd64ee64edc3 105e3bed2a8aa38abfc371d4521834cb Power PC Platform: openSUSE 10.3: 24df5cd13197319f46bce9cb2d34a21c eb32738893bafd2035271c50209a5192 1ddf930162365dc110096b171a3dad24 a3f734002b6565bbd17e09788fa36a6d 4900c9cbfc1a6e28db8c3d8bdf6ff3ce 04e12349f8b4ad96668618f0cb5a7fa8 a55d25b5c8699ce33afdf331f3e2aaa5 b89bdbd1e62176fad80a4f549825daa4 b819fa124b3170bef61865e90bf6c59d 33b4975f052bc47558f986da054f91e2 5b0079658bdc38857b5c7a8ad6065596 c70565a52b473f1f2fa23fe36f0b99cf adbc3f39af0e192728f9b999e35aa65c 74de67e68aaf6971dee294409ab4476e 535129dc5e6c983c29b6fdfb5eee1a4e 8be6efc1a971c5b399dcdd3d295cc7a4 e67ec45e7ca28049c7d8f6a6064a256f d2081eedf5c4dbf4482f0107bb840788 openSUSE 10.2: d961dabd72bceb816f91bdac5150b108 aa502ccf683c22bd7e095fc94512a4ee f4a4792bef94f59878ef3f16f9d84657 c910db11ea56eec75b8ab8b5bee62f34 f67c175c4df7050a3f32e61e70a33e69 b45b7c915f315e24c0c283de73f25c5c 02eb05dbe9924a62edab71956a280341 3d5faa86f195cf805d272fe56e2640f9 b77581b588253c9817b77877ea43cf0f 43a4ff9699ef734a3fa8a050489bcfbe e4cda13b80d4a6bcfc030e8f79dd7009 119ef9f76f6a82fe57c625e7eee02208 105e92c73c23dfd1589e0adf61b79076 8d735d5e20a9651d1a457ad9a994adf6 0a97af1e299a8fa7782f21fb02a65844 28698af3a83a8aed73b59d76f09f914d f60a2ba24b1fefc172f54321a5b74b98 7bc5a9fe51893cfa5f260f2cbfd41fa8 699fb42b02d89d9ba6c5fd71a0966f23 4669e537ea23577d64822abff358ef2f 6ff3d0e4c0ba2f0a4672a635f5efda04 7c00d8bbed381cbde454561a2fb7bd5f 6426944834c136869bfd277bee5b92d5 03fa1d78d0e34a7533311825cf1d7e5b e877b2a01e47ea479de23174dd02b321 85970c84a01e489009b42e7853cfe930 a1bf618c1d39ebaeaec6020b693ce9ce d653e2a3309c5695c8adc5fd9fee5082 15fe6ebf42811be01322cd0e5840e600 c81ed3344315bac01608041155cd2129 27233e3d4b3946acf4c53335a0bd7a27 751215f39c7fd3696e9b56362b799ba9 1508a1df8ffbf3cb0c21ef4ff91b2508 2444ab5d25a9389f82ca98b9c22534b5 af54e420a61cf91743b93a8d1608dd5d eb06c02fc34aca05fa0da5c8d8883101 f897e85535d691b9e7148ecd6b2b1b4b 31ef785922cd35593c2a1e6a133aa6cc 0633077e1dc611876eb84c78b0353c78 97c6d81a58da85aab84ae08ee7ffc768 df6a44e57bb0007b593b7fa750d0e043 856fd1ebad660c3d313274dff9a9363e 11ca53eac3f864204e991681d30e1384 ab809f7117d3f2c86ddf63b732a1d071 931024221d60428f4a04f224018b65cf 66a619a3d538c7fa39ed1336a77e691b 69ec30f99f394d0cdd65a2f2d6b612a6 8371143db904b353d304ebbc737b9ec8 ac77d8aa6bd37ad349a8726acca57264 1b3127e6c66313b429106b0c71828b4e 15f9175f0cf090eef4d59e8c23d9d61c f7cd80fa316908b7a3b08a879aa90aef 7118341a7cc7832330d93f998707f543 b32baeb62c4083ac050cab4d5233b99e SUSE LINUX 10.1: d852db70e250f5a8fdca05a6782b0fed 5a35affd722e1d06b37d3bf830663161 6509c45270281cbd933a8c3728971e70 254d251d8bb448c2e5c716ca3ea352ec 11e394af947646f9734a5c150354ddf5 ce7b6e60516ced55de621d939019c124 e1b907f417b6cf8af00fc982740c824c 10a949636cd4928e42e5c8f302624527 72a8bdc9eb8956be559f2bafc08be167 80fe75eb8c4aef426ac6d2370df33f8d 7040eba78fa04fdd032fe7b663de668f e68d09ebd37dd28e99bf292ed0af5d21 5ebf19d8cc5e4400948711af7d4f321d 4316b427ccff3687925d05c50b29d952 60211f4526905c4a32c65fb6f665f217 e7919b6f387773535011b1a3eb017588 19858640940df10044edf710c6988dca 3691f17f0e66f567b1560b0e30c8b06a 4b72a6609d0e3866634d18cf2bc8ddc6 e3f04ca460267df3f463f4a2fc1e2048 7113058573abfc3cfb59e66299b84503 ff7bc2ab4498475160e099aefcb0ec90 cc62f0a4af130b48c61e94100613bab8 8aed99f0432c4519f22fb3eaa322a788 c2063f3dbf4d9ad2272e0ccf9b4d0be2 ca16d2a75a278827d8e98af9ac47bdaa 22dc65392d9ddac481343e6b3d6f20b4 eec41c744dda7c7c4ac2913b56d4993a 1a1fe7f422d65f9745324ede5fb75c08 c04d26377bb6802c753508754cc692fc 6ff5af78b0cde8d4c1c01df89a009cde 94ee47f248a90b0bde56083d113edeed fa68fa882c439822616065e995133a74 813ff662c8d63aed6a08a784a9f9dd0e ec59aa47dec2c56943aa8601b361de08 fcd63125bcc125803023a16cf6b2d28d 54027b48181f227a017ca5669c24974f addbcfd230495b086158175e09ec6720 96891dae6dc0f82af5f801a48297aa2b f65b021ac9b9e706d23452d95ff689bb 2e36284079c996bec89a29e0f1c21ee7 78a8f30f9cdeda5158dda31e381d38fb 6ef78585f62a86a0344eb8c20bb36b3a fc6668341b262f2d89057bc46c858134 b6a58b243b4882ac4f3718d9e07e5e89 c70b56d0159722df9251904c9851bb52 96a5482970c6ec1602d203f6a749f6d2 8b868865516bfe4aeed003bb6a4e22b4 2a6dc9b065c68bdbb55e801a09f5d15f 0314e6b20ec02df6776eb05f5091803a 2fb62d621155980046217f4dc93fca14 fd2e9ad671e106ca47337f3e6a908cb6 x86-64 Platform: openSUSE 10.3: 2ebed3ff9dbaf7bcffe66c83b2ae2f12 6f48bc102e4d74b43fedd40bce829e16 3aa5979d63dd1b1e3da0acd11ec26b83 a0cbfd4e76067741eca502f2677dbc64 3178b2d4cd9213a0a775474aad53d9f6 2e25d20f787de6f1a48937106654e465 f32252abeb829ca22ab7d602152f8148 077c9ab06f979a666f5e85343bcdeca5 013621f793e0cfc170dc7cd648f6601a 349866c0e1926b8f526bc1be06c93624 9e5733af48f74cb9f7021bbd76e73271 2a52fb5278df6052167335d66235ee38 2ea5361fd1bf9e7965ed48c41770abcc f7f1b4c3694aa8f5ce7d44ed6a2c8649 5a302027535d0f346f7bddbf40f2a46d 55ed30939fe85243e90dd48a6b0c748b 40ccec9ac7616d8b14f523bddd1109d1 a4071687aab06c971f059dac40575a1d Sources: SUSE LINUX 10.1: 73d7a831ee773da36bc2e01830e9f503 openSUSE 10.3: 90df6baf5f12ae3e3b6a4a9d1419e894 openSUSE 10.2: b85623b728dc0637cca5dc01648f2eea Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE SDK 10 SP1 http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.html SUSE Linux Enterprise Desktop 10 SP1 http://support.novell.com/techcenter/psdb/14ac798887e3454500d633209764e2c7.html Novell Linux Desktop 9 http://support.novell.com/techcenter/psdb/f6a476d94870d717c3a93c69ce56d196.html ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: Please read our weekly security summary. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify replacing with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team " where is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or RPM package: 1) Using the internal gpg signatures of the rpm package 2) MD5 checksums as provided in this announcement 1) The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig to verify the signature of the package, replacing with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build@suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. 2) If you need an alternative means of verification, use the md5sum command to verify the authenticity of the packages. Execute the command md5sum after you downloaded the file from a SUSE FTP server or its mirrors. Then compare the resulting md5sum with the one that is listed in the SUSE security announcement. Because the announcement containing the checksums is cryptographically signed (by security@suse.de), the checksums show proof of the authenticity of the package if the signature of the announcement is valid. Note that the md5 sums published in the SUSE Security Announcements are valid for the respective packages only. Newer versions of these packages cannot be verified. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security@opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to . opensuse-security-announce@opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to . ==================================================================== SUSE's security contact is or . The public key is listed below. ====================================================================

Get the Latest News & Insights

SuSE: 2008-023: OpenOffice_org Security Update

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By