发布时间 :2005-05-02 00:00:00
修订时间 :2017-10-10 21:30:01

[原文]The StgCompObjStream::Load function in OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow.

[CNNVD]OpenOffice DOC文档信息读取堆溢出漏洞(CNNVD-200505-067)


- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9106The StgCompObjStream::Load function in OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but proce...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20050412 OpenOffice DOC document Heap Overflow
(UNKNOWN)  BID  13092

- 漏洞信息

OpenOffice DOC文档信息读取堆溢出漏洞
中危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00

- 公告与补丁


- 漏洞信息 (F39094)

Ubuntu Security Notice 121-1 (PacketStormID:F39094)
2005-08-06 00:00:00
advisory,overflow,arbitrary,code execution

Ubuntu Security Notice USN-121-1 - The StgCompObjStream::Load() failed to check the validity of a length field in documents. If an attacker tricked a user to open a specially crafted OpenOffice file, this triggered a buffer overflow which could lead to arbitrary code execution with the privileges of the user opening the document.

Ubuntu Security Notice USN-121-1	       May 06, 2005 vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

The problem can be corrected by upgrading the affected package to
version 1.1.2-2ubuntu6.1 (for Ubuntu 4.10 on i386 and powerpc),
1.1.2-2ubuntu6.1-1 (for Ubuntu 4.10 on amd64), 1.1.3-8ubuntu2.3 (for
Ubuntu 5.04 on i386 and powerpc), or 1.1.3-8ubuntu2.3-1 (for Ubuntu
5.04 on amd64).  In general, a standard system upgrade is sufficient
to effect the necessary changes.

Details follow:

The StgCompObjStream::Load() failed to check the validity of a length
field in documents. If an attacker tricked a user to open a specially
crafted OpenOffice file, this triggered a buffer overflow which could
lead to arbitrary code execution with the privileges of the user
opening the document.

The update for Ubuntu 5.04 (Hoary Hedgehog) also contains a
translation update: The "" package now contains
actual Xhosa translations (the previous version just shipped English

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:
      Size/MD5:    28096 4b7f2178e793492ab894ff1af3609ef5
      Size/MD5:      726 52db4dd9da984393ed986519c61cd2ba
      Size/MD5: 208611528 93ab055e6bf71c024ccd7c52e30f252d
      Size/MD5:  3683107 b0d325f521c4d37842da3f5ab125de66
      Size/MD5:     3066 864524574c618de3e8e0973ea6a3edea
      Size/MD5: 162927750 0ff8a7d640cda5051d75a35a0b8f9a5f

  Architecture independent packages:
      Size/MD5:  2625578 eb821c3c14530816520822a2474bc15d
      Size/MD5:  2667962 4fa34f3ab0f00add35145c5467add425
      Size/MD5:  2667338 292522e237c3a7fe76d60ea90d5588a6
      Size/MD5:  3563928 f2c888cd43f0bc059b141dd2ad580616
      Size/MD5:  2570832 a3dc0d032732d3010248ea2e3e0e2239
      Size/MD5:  3558532 80ff4acee4b4d276ccf5d0450d1639b6
      Size/MD5:  3430706 3c18c1b396181ad65da37e00ba3a0008
      Size/MD5:  2718996 770b63130afd4150f0e995e96f8b38e5
      Size/MD5:  3503342 04f45c51eac18fe0e597a1320b10767e
      Size/MD5:  3537596 cb226cfb0a11f71e31581d57f596dd65
      Size/MD5:  2605702 f83654d2d9681c878d9ca1d5d8bb40ab
      Size/MD5:  2649872 a44e3ac7068b348e689f4865379c76cd
      Size/MD5:  3470768 14c745b8199fc3bd50864d01907b8e73
      Size/MD5:  2635192 cada31c28d23809b483fe10ae010819a
      Size/MD5:  2655434 1a79abe55e7dda25932fd876e7e26e87
      Size/MD5:  2748050 2ad5a0d72fcd44180bef3220a5edf2dd
      Size/MD5:  3532158 b182a9ada5309c1078a69f3801a0a7c1
      Size/MD5:  3542402 3eb53c9b823c705d92eee2f18575007e
      Size/MD5:  3516668 b28377a3e9748655f00d9b91917c3c47
      Size/MD5:  2570408 d36ca279e18c049021773139453b60a9
      Size/MD5:  3537482 0255f99fa026a031b89adf69feadd02e
      Size/MD5:  2569964 42e437641e48ff65a0552ef39fe4d37a
      Size/MD5:  2643550 bd996ada49b1eeffe881e1d6571813bc
      Size/MD5:  3218566 5cf2c910b834f51d7015430058fcdf37
      Size/MD5:  3502034 d58253c9bc03b374063c998d19064783
      Size/MD5:  3138238 3aa4b1f3e7c7117fd1c1b29158b7684e
      Size/MD5:  3312120 c1936620594fc2cac8dff04cdf478cb2
      Size/MD5:  3580200 ca534bb83e7d9d3c406b8ed5a2feca15
      Size/MD5:  3575688 1783272ceacb8bee225115de34dfd23d
      Size/MD5:  3517932 b63b61afb235adf514289a8f17a02ae4
      Size/MD5:  2663236 6c1c5536144946f2eb197f1ac62967eb
      Size/MD5:  2864942 3b63aa4443525e079868da9be4ebd969
      Size/MD5:  3531436 0843789a333ef1e1109542ad37cf69ba
      Size/MD5:  3526172 eee95bc27da63e41dabafedd5762e22a
      Size/MD5:  2650914 a15d3d3bc5c9811ae4558e6c760d024a
      Size/MD5:    62258 acb66d9be6416f78991ac200fdecf012
      Size/MD5:  3124572 343cd761ee1343de6b03db5352988f90
      Size/MD5:  6924372 2c93f7084b858758b8b589ae6019f83a
      Size/MD5:   128090 66d27e1b4ede76e08db792a4519da8c0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5: 43816672 3fc058ca4eb066071a18044d2a2fa512
      Size/MD5:    85404 f0fa28e720b968d6afc42d93bfb62fb0

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5: 43853094 5f733236e06af7d045211962c78e27c0
      Size/MD5:   117562 28f234d6a07e2d0d20b121288558cc13

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5: 39852906 a5130041c6b7e477ce8b43ad5e1e82ce
      Size/MD5:   118312 1a25d701dbaafcf58612cd47c3b62732

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:
      Size/MD5:    28226 53b031142c2d2f220a68985b762508c9
      Size/MD5:      711 ad84fefcb1415e6853d8b85d4f2e2801
      Size/MD5: 213193223 05045388938075e20bc88010956c6ac7
      Size/MD5:  2970 febc49b4baaf2e8b75c58567bc1b856d
      Size/MD5:  6768122 14fd9436c7e9926d775ab401418ff747
      Size/MD5:  166568714 5250574bad9906b38ce032d04b765772

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5: 41622360 e5c2a8f9920c3b49a38f081cea41f38b
      Size/MD5:   122180 07a4ff7a77900f2bb3d6d6f0c9d349a3

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  162048 4f86017213ca7bc286ef6c0cd0bb4e92
      Size/MD5:  41667338 4c2fde2c799727477bfc9f6b08dcded1
      Size/MD5:  145978 2fb8d044bfee0fff037d38acf60c54a9

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  39931722 282f3ebf1d87f440e3de76f85097df18
      Size/MD5:  160470 2229a0e9b26c2fe38150942a4bf7aaea
      Size/MD5:  143956 2846e0b223832b7b566493fa6bcb80df

  Architecture independent packages:
      Size/MD5:  3148426 3858cd4d793ac2494ce6e065dc17f006
      Size/MD5:  2645590 d328a59f519cb0df752444902e80b906
      Size/MD5:  3527052 b101dc1d6ab92218f5efe43aae60c8be
      Size/MD5:  2728754 5c0423fc188212a603c9e546af63f134
      Size/MD5:  2660828 5a351a28c73dc8e8ab781aa7a26934fe
      Size/MD5:  3537032 1db4f57a271619114b8f603ce0e47bb1
      Size/MD5:  3228906 a72274b97b9c0a3612f3a2c1b33130d8
      Size/MD5:  2680468 a6ab5957e4722478d2e4aef8792e1f07
      Size/MD5:  3322104 b157da977880203cc766a1477d1e66e9
      Size/MD5:  2651240 da95196afa8bacc98a784cebf73272f2
      Size/MD5:  3542032 bc69379595d9d08bc633e0b1be025a85
      Size/MD5:  2653072 99e3a5df7a6ddd58727a1c829c350c30
      Size/MD5:  3529146 fe1d7f0a3c846e2bcb18e38d383f9b2e
      Size/MD5:  3512534 d5c42273de86dd3df9c96cd4f25e4e76
      Size/MD5:  3568500 7f45cc03396e72761ff2aab98434386a
      Size/MD5:  3547316 c0fae019942562ad987610c145bbbdf4
      Size/MD5:  138812 eb15c27d07b8ca11db8a7281b3ff1091
      Size/MD5:  3585836 d21444fafbacad5a75e8e4451ed2c245
      Size/MD5:  3548512 4d3518378d92ea3653329a770b184787
      Size/MD5:  3440870 f99167ff084d89f7570305670f7b1509
      Size/MD5:  3513436 238f8ab4943a186d7a53d935b315d5e2
      Size/MD5:  2878686 21ef1a9fb885fbd4779a6f504e6d41ad
      Size/MD5:  2590712 cffb90644d8f81f553f90e57946e1316
      Size/MD5:  2683144 9f681d2b609c53b34df24664f97cb26d
      Size/MD5:  3590620 b0afdc467adad4ef6376d2f991ebb5ed
      Size/MD5:  2651786 49148b271649b14cb09c38716ef9c1a2
      Size/MD5:  2659854 6bbad5ab3f946cfe24f00c66694cf56d
      Size/MD5:  2649426 b701afd8597c04e0d16f35b9391e6096
      Size/MD5:  2645998 537cf5800d6e0f58261cf4a7bb9a9481
      Size/MD5:  3552410 195d97ea3b683c4564fba37e905084eb
      Size/MD5:  2675814 0ace29d99c8a3531ea572e7598739da2
      Size/MD5:  2632406 c02f44306898e5b62ab1710388e88845
      Size/MD5:  3542144 b66928c3a4bd7e01e4cf8a2b87bb6e11
      Size/MD5:  2654876 bd230344ba45b8821cf72c7dd7ecef6a
      Size/MD5:  2671908 c6814a7ee54f63cc207b5531e23560e1
      Size/MD5:  3480842 730055fecc24d9bb9aa04636cbe885e3
      Size/MD5:  2677768 e561d609b3545c02bb3d069aa72ef99f
      Size/MD5:  3132700 315e908bc4f9aec1c971ab702f112b55
      Size/MD5:  3574578 8f032cb2c2737f0aabd9c5080c725d6f
      Size/MD5:  2758214 6a21677f90007a497b7bfc5eb008af5e
      Size/MD5:  6854068 2e6924bdbda46f01494f6917b2fdc160
      Size/MD5:  2634830 c4ece5b74f9a82198915e0b19a593424
      Size/MD5:  2660226 3ddb15ac439213ceb2125967e94d4ff7


- 漏洞信息

15491 (OOo) DOC Processing StgCompObjStream::Load() Function Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2005-03-30 Unknow
Unknow Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OpenOffice Malformed Document Remote Heap Overflow Vulnerability
Boundary Condition Error 13092
Yes No
2005-04-11 12:00:00 2007-02-23 01:06:00
Discovery is credited to AD-LAB.

- 受影响的程序版本

SGI ProPack 3.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Desktop 1.0
RedHat Linux 9.0 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
OpenOffice OpenOffice 2.0 Beta
OpenOffice OpenOffice 1.9.79
OpenOffice OpenOffice 1.1.4
+ Gentoo Linux
OpenOffice OpenOffice 1.1.3
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
OpenOffice OpenOffice 1.1.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
OpenOffice OpenOffice 1.1.1
OpenOffice OpenOffice 1.1 .0
OpenOffice OpenOffice 1.0.2
OpenOffice OpenOffice 1.0.1
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0

- 漏洞讨论

OpenOffice is reported prone to a remote heap-overflow vulnerability.

An attacker may exploit this issue by crafting a malformed '.doc' file and enticing a user to open this file with the affected application. If a vulnerable user opens this file in OpenOffice, the application may crash due to memory corruption. The attacker may also be able to leverage this issue to execute arbitrary code in the context of the user running OpenOffice.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

Please see the referenced advisories for more information.

OpenOffice OpenOffice 1.0.2

OpenOffice OpenOffice 1.1 .0

OpenOffice OpenOffice 1.1.1

OpenOffice OpenOffice 1.1.2

OpenOffice OpenOffice 1.1.3

- 相关参考