Ciao a tutti,
vi inoltro questa segnalazione di sicurezza apparsa sulle ML
internazionali.
----
Cordiali saluti, Pierluigi Tassi
-----Messaggio originale-----
Da: Herbert Duerr [mailto:[email protected]]
Inviato: sabato 25 aprile 2015 21:14
A: [email protected]; [email protected];
[email protected]
Oggetto: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS
Vulnerability
CVE-2015-1774
OpenOffice HWP Filter Remote Code Execution and Denial of Service Vulnerability
A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial
of service (memory corruption and application crash) or possibly execution of
arbitrary code by preparing specially crafted documents in the HWP document
format.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
All Apache OpenOffice versions 4.1.1 and older are affected.
Mitigation:
Apache OpenOffice users are advised to remove the problematic library in the
"program" folder of their OpenOffice installation. On Windows it is named
"hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is named
"libhwp.so". Alternatively the library can be renamed to anything else e.g.
"hwp_renamed.dll".
This mitigation will drop AOO's support for documents created in "Hangul Word
Processor" versions from 1997 or older. Users of such documents are advised to
convert their documents to other document formats such as OpenDocument before
doing so.
Apache OpenOffice aims to fix the vulnerability in version 4.1.2.
Credits:
Thanks to an anonymous contributor working with VeriSign iDefense Labs.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
