--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openoffice.org packages fix security issues Advisory ID: FLSA:154988 Issue date: 2005-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0752 CAN-2005-0941 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated openoffice.org packages that fix two security issues are now available. OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0752 to this issue. A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154989 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154988 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154742 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openoffice-1.0.2-11.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-1.0.2-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-i18n-1.0.2-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openoffice-libs-1.0.2-11.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openoffice.org-1.1.0-16.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-1.1.0-16.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openoffice.org-1.1.3-11.4.0.fc2.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-1.1.3-11.4.0.fc2.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-i18n-1.1.3-11.4.0.fc2.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-kde-1.1.3-11.4.0.fc2.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openoffice.org-libs-1.1.3-11.4.0.fc2.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8b3935db6ed8864aa0839971c272eacd4cb46963 redhat/9/updates/i386/openoffice-1.0.2-11.2.legacy.i386.rpm b3bbc948ec2c261fe0b44bc5f6ffd0d38243c241 redhat/9/updates/i386/openoffice-i18n-1.0.2-11.2.legacy.i386.rpm fc5a82e620de2fd69f3327382a44c6159c73087d redhat/9/updates/i386/openoffice-libs-1.0.2-11.2.legacy.i386.rpm b71dd5e5630c2967e78d4e9339075d736b6b6773 redhat/9/updates/SRPMS/openoffice-1.0.2-11.2.legacy.src.rpm e93f1b81c245b1d5168256b24aa8c82f6dacb2da fedora/1/updates/i386/openoffice.org-1.1.0-16.2.legacy.i386.rpm 1adaa0cf3764aaef0cd8a9597d24f217ee547d0a fedora/1/updates/i386/openoffice.org-i18n-1.1.0-16.2.legacy.i386.rpm 2ebd3693673e0320c2d6407696949cf0fef2b9b3 fedora/1/updates/i386/openoffice.org-libs-1.1.0-16.2.legacy.i386.rpm d9ca1a29721ad845db6de1a01c6096163e54078d fedora/1/updates/SRPMS/openoffice.org-1.1.0-16.2.legacy.src.rpm a28d80af75d648060587326ef3872a240e339b87 fedora/2/updates/i386/openoffice.org-1.1.3-11.4.0.fc2.i386.rpm ff7f301dfedbb042810991928ec59aee83c2b12e fedora/2/updates/i386/openoffice.org-i18n-1.1.3-11.4.0.fc2.i386.rpm ed14c1e035b9a1fa44b1c16812bae81894d74828 fedora/2/updates/i386/openoffice.org-kde-1.1.3-11.4.0.fc2.i386.rpm 06e156914d032b19deb05c27da73fd6901b45fe5 fedora/2/updates/i386/openoffice.org-libs-1.1.3-11.4.0.fc2.i386.rpm a003e78128a72b0d297d0fdb5faf5e1793cd02e6 fedora/2/updates/SRPMS/openoffice.org-1.1.3-11.4.0.fc2.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0941 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature