Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0010 -- [Debian] New OpenOffice.org packages fix arbitrary code execution 9 January 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openoffice.org Publisher: Debian Operating System: Debian GNU/Linux 3.1 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2006-5870 Ref: ESB-2007.0002 Original Bulletin: http://www.debian.org/security/2007/dsa-1246 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1246-1 security@debian.org http://www.debian.org/security/ Martin Schulze January 8th, 2007 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : openoffice.org Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-5870 Debian Bug : 405679 405986 John Heasman from Next Generation Security Software discovered a heap overflow in the handling of Windows Metafiles in OpenOffice.org, the free office suite, which could lead to a denial of service and potentially execution of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.1.3-9sarge4. For the unstable distribution (sid) this problem has been fixed in version 2.0.4-1. We recommend that you upgrade your openofffice.org package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge4.dsc Size/MD5 checksum: 2878 3adfe8b09c20248767fe9d995b3f184c http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge4.diff.gz Size/MD5 checksum: 4623655 108120f3b365317fa9c47b25a5445fce http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent components: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2647376 8704f95d7e844e302abcae4d403f7818 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2694806 89cc4671d9d38ff05e5a361a06e02098 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2690164 45db102838292106429d06f2c9d4a77f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3586142 03e0e6ba4d7abc4954fb7ffe4e04ced6 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2662654 ff77cf34ec2cfc0d8deaa49edf5ed00f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3581922 7f69ac15b11613a649a2a08ff1501fd8 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3453208 fcd76abbb9df7cd707e36903e9db1f17 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2741468 ab08c03a0f0d78c3db9c99bd80fe12f1 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3525792 12c71a26f9512295ab442fb63e8711a3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3560792 9965231fb1b0c3956ddb09255b91c86b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2645014 baa0a0c809a740273d8dfd87b946d81b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2667748 740c781dd55cad46fdc52c1926d5854e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2673164 f8b2c8d335490dcaaf3f1bcb63eb72ec http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3494058 674365c474453cf6590a82c2b2d3d631 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2657584 7ce93bcb8f34a3f05f7560b5631a5ed8 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-he_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2659220 0eb0857819464be35dd9d7c81beaa0b5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hi_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2695686 3ca8a13e1d82d3036a92606bdce79b16 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hu_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2771502 836d91201b70e5747a8099f5a5517deb http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-it_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3555644 3f3f0518c84cc9a7e191c6e025c67dcd http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ja_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3564244 80fc0de1fc7d84360091e53bdca22853 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-kn_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2685084 7c5fb3784626924e0c0ce5149191c5f7 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ko_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3540114 4c9bed5f7bcea97d3ab3b117640c626d http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-lt_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2672762 3778280d7eca49a1fbcd401750530fcc http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nb_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2663808 d69aa15d7e5ecece8ee1fef8efde0341 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nl_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3559972 5f2d3ecab6bb697e66ee82b4e31d7bc0 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nn_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2663552 2c1645edd72ca4ee2b6721848b3b360e http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ns_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2664676 5d3d924327b847377da15e74dbf70877 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pl_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3238860 fcbda1d9de3fc009fa663319b91e2a3a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt-br_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3526050 966acfd1ae82a776bdb4f23108600225 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3161406 d4d4fd2f3e77c5586e30f2f875dc33c3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ru_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3332148 55aca35c906a10915e053988b7aa3c09 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sk_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3603192 2788a27445e52e81917364aba2a85c0a http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sl_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3599238 29ba9e01fb897c1287af13a4c478aeda http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sv_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3542822 665126a7f85234beb95d648e20534027 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-th_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2689084 ac5b2a0123d8631a182a7de77e63ccf9 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tn_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2650990 be8c4d81ccad1cc9951395fdf7ff078b http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tr_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2893818 488f3310417ade7cff1b013f7e0d5e82 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-cn_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3553030 9cd6554701566bc264cc479452b0dcd4 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-tw_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3548654 e7992921765ffc14f8d212799addb02f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zu_1.1.3-9sarge4_all.deb Size/MD5 checksum: 2672242 635031d8e6cc4b7c16f3eefad4edb05f http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-mimelnk_1.1.3-9sarge4_all.deb Size/MD5 checksum: 67184 e44a08734ab212bdbc017f9675dff986 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-thesaurus-en-us_1.1.3-9sarge4_all.deb Size/MD5 checksum: 3130960 d659b041a6f58679cf05a67de068b6f3 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge4_all.deb Size/MD5 checksum: 6852620 9b1363c6d3e7395595687112f6632a36 http://security.debian.org/pool/updates/main/o/openoffice.org/ttf-opensymbol_1.1.3-9sarge4_all.deb Size/MD5 checksum: 137130 89898024ed9949ede2af7df7a907857b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge4_i386.deb Size/MD5 checksum: 41473164 201d3654e0f25c09cad426a834a6a732 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge4_i386.deb Size/MD5 checksum: 1858664 17e895e4db8a124105597bd091fe77db http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge4_i386.deb Size/MD5 checksum: 164568 dd1b783a99d9d7e08fa7d0f3707cdf16 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge4_i386.deb Size/MD5 checksum: 160158 12e000d7418c4c79540cb0dabdf73c31 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge4_i386.deb Size/MD5 checksum: 144160 efafeabb9e208f32dcd4d930f022453e PowerPC architecture: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge4_powerpc.deb Size/MD5 checksum: 39929314 f47ffa291dc5e5423ad286da20780fa0 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge4_powerpc.deb Size/MD5 checksum: 1865702 af0983cce9e7f71bfa36445eb525c8be http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge4_powerpc.deb Size/MD5 checksum: 161596 ddba4d76fed158c9c4c0441e0de71647 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge4_powerpc.deb Size/MD5 checksum: 158824 e50a700f00a8fb92ddaf554fe3cc6fdd http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge4_powerpc.deb Size/MD5 checksum: 142330 8746389ad88f5176a6db6b75c0c503cb IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge4_s390.deb Size/MD5 checksum: 42751682 c5b8173b85bf0f0931c98c2f204a5c05 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge4_s390.deb Size/MD5 checksum: 1852730 18d41fcb730e667b6eaeb600dd36a1b5 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge4_s390.deb Size/MD5 checksum: 166852 0122761ef0c613aa3f64f7e6685a7311 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge4_s390.deb Size/MD5 checksum: 166716 c70e54ac2a1ab5c4b23fb017128db5ec http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge4_s390.deb Size/MD5 checksum: 145354 fec4c419919354ae32c114563c8b6390 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge4_sparc.deb Size/MD5 checksum: 40804144 3f6d727294d3992769146240bb532e69 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge4_sparc.deb Size/MD5 checksum: 1847714 7d50650e99e42aa2f0da81493b862274 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge4_sparc.deb Size/MD5 checksum: 168000 b703ad63b11459d7062517a7cbb1b776 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge4_sparc.deb Size/MD5 checksum: 158394 e2ec76119983f45320a3d2aa5b9112f4 http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge4_sparc.deb Size/MD5 checksum: 139900 e7b6f94dabdbe6ac98b9e22d8425c27c These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFomU9W5ql+IAeqTIRAjEhAKCWHXIONHIycsGuudRBcXgjB3wfuACeLW2s 7j3OtpYbfYNL11PbVVIuUNw= =UQ54 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRaLYnyh9+71yA2DNAQIGKgQAkpr5jS/hbMMdJ9xakFRSDkMy2kDLIfCn 1pmHL5XDUEamVhsFSYAwJUHMxQJkO70UkZYo6U4eO7ljWhkiAgWggOkXBAGsWy9B sfMgBS5zQPgzwGGRYFzXJqjnZpnVr8ws0VLCBpJk7OfO4QKEc1WIA2Mr1r+4l8Se zyf10C8HcsQ= =mJWz -----END PGP SIGNATURE-----