Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#6612 - Warning on libwpd
Attached to Project:
Arch Linux
Opened by DaNiMoTh (DaNiMoTh) - Friday, 16 March 2007, 20:24 GMT
Last edited by Jan de Groot (JGC) - Sunday, 18 March 2007, 21:17 GMT
Opened by DaNiMoTh (DaNiMoTh) - Friday, 16 March 2007, 20:24 GMT
Last edited by Jan de Groot (JGC) - Sunday, 18 March 2007, 21:17 GMT
|
Details------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#17 ------------------------------------------------------------ Name: libwpd Date: 2007-03-16 Severity: Normal Warning #: 2007-#17 ------------------------------------------------------------ Product Background =================== libwpd is a C++ library designed to help process WordPerfect documents. It is most commonly used to import WordPerfect documents into other word processors, but may be useful in other cases as well. Problem Background =================== Remote exploitation of multiple buffer overflow vulnerabilities in libwpd, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code. Impact ========== Successful exploitation of these vulnerabilities requires an attacker to persuade a user into opening a specially crafted Wordperfect (WPD) document. If successful, the attacker could execute arbitrary code with the permissions of the victim. Problem Packages =================== Package: libwpd Repo: extra Group: lib Unsafe: < 0.8.9 Safe: >= 0.8.9 Package Fix =================== Upgrade to 0.8.9. From libpwd's site: libwpd 0.8.9, codename "Integers, integers, integers, ...", has been released. This release fixes an integer arithmetic related security issues described as CVE-2007-0002 brought to our attention by iDefense security. An attacker could create a carefully crafted Word Perfect file that could cause an application linked with libwpd, such as OpenOffice, to crash or possibly execute arbitrary code with the current user priviledges if the file was opened by a victim. The libwpd code-base was reviewed by us for other similar integer related issues. Issues discovered were fixed in this release. Needless to say that libwpd-0.8.9 is API and ABI compatible with all previous versions from the 0.8.x serices. Users are encouraged to use in preference this version in their production environment. =================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0002 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=490 |
This task depends upon
Closed by Jan de Groot (JGC)
Sunday, 01 April 2007, 15:29 GMT
Reason for closing: Fixed
Additional comments about closing: Openoffice uses system libwpd now.
Sunday, 01 April 2007, 15:29 GMT
Reason for closing: Fixed
Additional comments about closing: Openoffice uses system libwpd now.
We want to build OpenOffice from source, depending on system dependencies mostly in the very near future. PKGBUILDs are ready for that, but we're waiting for them to release 2.2 final.