VAŽNO! Open Office security info!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-2149 OpenOffice.org memory overwrite vulnerability

Reference: http://www.openoffic…-2012-2149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a
memory overwrite vulnerability that could be exploited by a specially
crafted Wordperfect WPD-format document, potentially leading to
arbitrary-code execution at application user privilege level.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4, where WPD files are ignored. Users who are
unable to upgrade immediately should be cautious when opening
untrusted WPD documents.

Credits

The Apache OpenOffice Security Team acknowledges Kestutis Gudinavicius
of SEC Consult Unternehmensberatung GmbH as the discoverer of this flaw.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AeAAoJEGFAoYdHzLzHpw4P/3hRQxaIre8XARxy9JiT+HX3
xCFp+ksNHQBlCf7KUDhy0uz5KFzzrPHKoJCVTXBmMz2CErsIJs5rf4ePZhdj2V96
z87qKRojEbeWQGw1lIfXWnytnk1GpPoSb51vhu20J2g4K0IUCor8LTWisVeeVhFu
TlEaNLreQHn+0fVCdYnCWenWzFqJfWvxcUXi3OSysT7+fAacF63ZayuFhGT6WygP
QXdW8fwhwAnFvwcBU4aSVX0tEpbAvQoZGw4EwlU0Osz6DHhJmlH9BYtsvAGX0amh
6Ow/Rg8J1dOicX7W7+bGcgIeNkBalbbiKrMJ2l5SEBhOkFEi0vOJZwDBqceHDDvC
wXYXAIyLqjyd7uyBslnAPqAVoAt3s4ZpAEHKPXSOpWBe4U6idcFNSM2QOj+IEbic
BROlOFXhJnRi69bowISAXdm6bKX/hvFhu9YhbmEfOE2sczp2FfGZ27W80QAboFG+
tfT9a6KmA3pDeh9OPkxABmjhhisPHuP9oSuz0xOiGjcR2A/d7DCtnEQUeLzTV7WI
wtgrlqkJhezNs7JVDcCEm0qXxAUJVTx9KCYvHPFR3IiuKgZba9Keu88wZs9yd/9f
cKSHOSDj2SZ4f4J3lM+llF/z0zjP/hmaQJgKTNsiaO3xl5AzORXMVH25fn4s9UCk
685l8u67flHuv0Iq+m35
=6F6B
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files
in OpenOffice.org 3.3.0

Reference: http://www.openoffic…-2012-2334.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

A review of the code in filter/source/msfilter msdffimp.cxx revealed
some unchecked memory allocations, which could be exploited via
malformed Powerpoint graphics records (“escher”) to cause bad_alloc
exceptions. From this vulnerability a denial of service attack is
possible.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4. Users who are unable to upgrade immediately
should be cautious when opening untrusted documents.

Credits

The Apache OpenOffice Security Team credits Sven Jacobias as the
discoverer of this flaw.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AjAAoJEGFAoYdHzLzHPiIP/15rlvzCaozoZfXAL1/0BXBA
X/gPJPqIsS88bG7CTOxmQ2fzLXj0MrCe4OIQ/piKkzglymybKcJzaOK2Kv3eCwZ1
KQeC2FDu16LBtymySuZaA86iMY4nsfWRdNkrrMYS1/pdvX6ouxEEi4zHqAKTNuhu
CusnujucvQAxXgdCEYTp7hU1ZtUPJm/4jQ2DkIqGTqusqE85IwwXNP/cw/eQbtmH
rTTw/piY69KViJbz+iSBZ8EpfFmvEbdtrz0lxwvQNGDy4em+CwjqTH5tqV4b31Ln
d5LagTQM5qdTlEAK01KDc3iPst7NrUrU5kN3ohjvpzlTGP74LqB0sTnBljm7TTCd
V7RQTxsPF8GiVeutAq/TozvL83xdqmbVKyYfZR0YYmG+6RKNMERoCkgZAKhKVaJ2
xhAOiywrU2c8QAkO4iQlP+jkGyDBf2tzjdOl7haga+upnXfTy7TfTcpxd/UTs1lx
atSPkQFpsvOexQ4yYKN687bUvmpWZzjwOEu4TmSFeOYD9KV5UGrVwt4ymkuLYl32
Brdp+1PY3fp9BWIRCy7FjY62BvW4EwbExiLr7OsKl7OmB2XWMvnS3p0owNuRrb87
i+536fO20e0cmp8BiFM6GhwY+eIJvnO77csDgEd5v+1tJGvskTFb7qss7yx/367Q
fKJPdxJyUiuOWdg9bMV0
=9Scx
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module
when allocating memory for an embedded image object

Reference: http://www.openoffice.org/security/cves/CVE-2012-1149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

The vulnerability is caused due to an integer overflow error in the
vclmi.dll module when allocating memory for an embedded image object.
This can be exploited to cause a heap-based buffer overflow via, for
example using a specially crafted JPEG object within a DOC file.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to
Apache OpenOffice 3.4. Users who are unable to upgrade immediately
should be cautious when opening untrusted documents.

Credits

The Apache OpenOffice Security Team credits Tielei Wang via
Secunia SVCRP as the discoverer of this flaw.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPs8AZAAoJEGFAoYdHzLzHP18P/jAzoagU2m7A6xmlrnM0obXE
J/+jkn/1T9SeUZqoV8Kxj3Xm079824SkGCfV+Vh449aEjz9mOcYeYdzF/Q2bLHUc
5+RASR10/KGUrONwTW7Y7aHgJKULqACayEAibtJdjTQf2c6bmPQtP0NvqBvqRnwO
I47wgF3nz7yTzmyJxCbM4c2zZl5yZ4fV+PScu4oignKCKWdihGWpyCsC68uaCaNL
/++Ef62uFg0ZhCHxbMeeg6XxG/I0AwDuCjLJucmZiTMFalVRilZ7RAJTq333pZO5
Ll1gOZhVFMahYWUuyRfEvSxthd1/XH8qSqaqZ7iIW636QorSReexCbyU6L8D+/J9
y5Z/ldgjT37/Y2HOtshugZ2/YYasORQRDG6dcfTsagBSz0t6NI8XjZ5HrOv2A+gq
2tUokw5wRWd0U/oi6HZVwbgsE93WlK2TacHKJEs3Ej7g9t/hmeQKlkgczy0DH7WB
sDNadAqJLCzgc/84MY4ZDDSx9bmYUJGwXJwo0yGtZEVdSD9sJbnVqw6pLBZoLXRZ
hAkaBnCJTackjfzaisd7+x+iLVUp1S2fllcTAoNUMehRhjtCP8MCwIqcEQL+QUyj
yQRcFO4+r20NTGNPaAiwanu/H4tUe+HZErh2T/NEWh4LXqrxdQWbVHMTFLM4BNgX
cKjC87ugWCKXVyyTQKiA
=HHf0
-----END PGP SIGNATURE-----

A Libreoffice? :slight_smile:

Nema informacija…LO neće da deli takve informacije sa ASF, navodno zbog licence (čitaj:para) :slight_smile:

“Sukob niskog intenziteta” na relaciji OO i LO se nastavlja…Apache ima IBM leđa, i kameno stabilnu reputaciju, a hype oko “naprednih opcija” kojima je LO navodno odmakao u odnosu na OO, iz sve snage spinuje SUSE (čitaj: M$) :slight_smile:

Činjenica je da je u poslednjih godinu-dve dana svaka linux distribucija ubacila LO kao default office paket, kao što je i činjenica da iole ozbiljniji korisnici to M$ “čedo” odmah zamene/vrate se na OO :slight_smile: