Petter Reinholdtsen
2011-Jan-26 22:49 UTC
[Secure-testing-team] Is this patch ok (CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454)?
Four CVE entries for OOo were just announced on bugtraq, and I extracted this info from the announcement. I''m not sure if a version number is required in the data/CVE/list file, so I dare not commit this patch. Posting it here in the hope that someone who do know can have a look and commit it. The fix is in the recently released version 3.3 of OOo. No idea which versions are affected, nor if LibreOffice is affected. Index: list ==================================================================--- list (revision 15980) +++ list (working copy) @@ -4694,14 +4694,18 @@ NOT-FOR-US: EnergyScripts Simple Download CVE-2010-3455 (Cross-site scripting (XSS) vulnerability in index.php in AChecker 1.0 ...) NOT-FOR-US: AChecker -CVE-2010-3454 - RESERVED -CVE-2010-3453 - RESERVED -CVE-2010-3452 - RESERVED -CVE-2010-3451 - RESERVED +CVE-2010-3454 (Insecure pointer manipulation for parsing lists in Word documents) + - openoffice.org + NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/ +CVE-2010-3453 (Insecure pointer manipulation for parsing lists in Word documents) + - openoffice.org + NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/ +CVE-2010-3452 (Use after free for multilevel list parsing in RTF documents) + - openoffice.org + NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/ +CVE-2010-3451 (Use after free for table parsing in RTF documents) + - openoffice.org + NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/ CVE-2010-3450 RESERVED CVE-2010-3449 (Cross-site request forgery (CSRF) vulnerability in Redback before ...) Happy hacking, -- Petter Reinholdtsen