openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gunter Stadie <gunter.sta...@arcor.de>
Subject Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Date Sun, 14 Jun 2015 16:58:36 GMT
Dear Mr. Duerr,

I recognized today, that the latest version of OpenOffice is 4.1.1. 
Therefore I do not understand your message.

Best regards
Gunter Stadie

Am 25.04.2015 um 21:13 schrieb Herbert Duerr:
> CVE-2015-1774
>
> OpenOffice HWP Filter Remote Code Execution and Denial of Service
> Vulnerability
>
> A vulnerability in OpenOffice's HWP filter allows attackers to cause a
> denial of service (memory corruption and application crash) or possibly
> execution of arbitrary code by preparing specially crafted documents in
> the HWP document format.
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
>      All Apache OpenOffice versions 4.1.1 and older are affected.
>
> Mitigation:
>
> Apache OpenOffice users are advised to remove the problematic library in
> the "program" folder of their OpenOffice installation. On Windows it is
> named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
> named "libhwp.so". Alternatively the library can be renamed to anything
> else e.g. "hwp_renamed.dll".
> This mitigation will drop AOO's support for documents created in "Hangul
> Word Processor" versions from 1997 or older. Users of such documents are
> advised to convert their documents to other document formats such as
> OpenDocument before doing so.
>
> Apache OpenOffice aims to fix the vulnerability in version 4.1.2.
>
> Credits:
>
> Thanks to an anonymous contributor working with VeriSign iDefense Labs.
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message