------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#17 ------------------------------------------------------------
Name: libwpd Date: 2007-03-16 Severity: Normal Warning #: 2007-#17 ------------------------------------------------------------ Product Background =================== libwpd is a C++ library designed to help process WordPerfect documents. It is most commonly used to import WordPerfect documents into other word processors, but may be useful in other cases as well. Problem Background =================== Remote exploitation of multiple buffer overflow vulnerabilities in libwpd, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code. Impact ========== Successful exploitation of these vulnerabilities requires an attacker to persuade a user into opening a specially crafted Wordperfect (WPD) document. If successful, the attacker could execute arbitrary code with the permissions of the victim. Problem Packages =================== Package: libwpd Repo: extra Group: lib Unsafe: < 0.8.9 Safe: >= 0.8.9 Package Fix =================== Upgrade to 0.8.9. From libpwd's site: libwpd 0.8.9, codename "Integers, integers, integers, ...", has been released. This release fixes an integer arithmetic related security issues described as CVE-2007-0002 brought to our attention by iDefense security. An attacker could create a carefully crafted Word Perfect file that could cause an application linked with libwpd, such as OpenOffice, to crash or possibly execute arbitrary code with the current user priviledges if the file was opened by a victim. The libwpd code-base was reviewed by us for other similar integer related issues. Issues discovered were fixed in this release. Needless to say that libwpd-0.8.9 is API and ABI compatible with all previous versions from the 0.8.x serices. Users are encouraged to use in preference this version in their production environment. Old version of OpenOffice.org uses an embedded version of libwpd; Now the problem is fixed, because ArchLinux's version of OO.org uses the system version of libwpd, which is secure. =================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0002 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=490 Contact =================== JJDaNiMoTh <[EMAIL PROTECTED]>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ arch mailing list [email protected] http://archlinux.org/mailman/listinfo/arch
