===========================================================
Ubuntu Security Notice USN-1056-1 February 02, 2011
openoffice.org vulnerabilities
CVE-2010-2935, CVE-2010-2936, CVE-2010-3450, CVE-2010-3451,
CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, CVE-2010-3689,
CVE-2010-4253, CVE-2010-4643
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
openoffice.org-core 1:2.4.1-1ubuntu2.5
openoffice.org-impress 1:2.4.1-1ubuntu2.5
openoffice.org-writer 1:2.4.1-1ubuntu2.5

Ubuntu 9.10:
openoffice.org-core 1:3.1.1-5ubuntu1.3
openoffice.org-impress 1:3.1.1-5ubuntu1.3
openoffice.org-writer 1:3.1.1-5ubuntu1.3

Ubuntu 10.04 LTS:
openoffice.org-core 1:3.2.0-7ubuntu4.2
openoffice.org-impress 1:3.2.0-7ubuntu4.2
openoffice.org-writer 1:3.2.0-7ubuntu4.2

Ubuntu 10.10:
openoffice.org-core 1:3.2.1-7ubuntu1.1
openoffice.org-impress 1:3.2.1-7ubuntu1.1
openoffice.org-writer 1:3.2.1-7ubuntu1.1

In general, a standard system update will make all the necessary changes.

Details follow:

Charlie Miller discovered several heap overflows in PPT processing. If
a user or automated system were tricked into opening a specially crafted
PPT document, a remote attacker could execute arbitrary code with user
privileges. Ubuntu 10.10 was not affected. (CVE-2010-2935, CVE-2010-2936)

Marc Schoenefeld discovered that directory traversal was not correctly
handled in XSLT, OXT, JAR, or ZIP files. If a user or automated system
were tricked into opening a specially crafted document, a remote attacker
overwrite arbitrary files, possibly leading to arbitrary code execution
with user privileges. (CVE-2010-3450)

Dan Rosenberg discovered multiple heap overflows in RTF and DOC
processing. If a user or automated system were tricked into opening a
specially crafted RTF or DOC document, a remote attacker could execute
arbitrary code with user privileges. (CVE-2010-3451, CVE-2010-3452,
CVE-2010-3453, CVE-2010-3454)

Dmitri Gribenko discovered that OpenOffice.org did not correctly
handle LD_LIBRARY_PATH in various tools. If a local attacker
tricked a user or automated system into using OpenOffice.org from an
attacker-controlled directory, they could execute arbitrary code with
user privileges. (CVE-2010-3689)

Marc Schoenefeld discovered that OpenOffice.org did not correctly process
PNG images. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could execute arbitrary
code with user privileges. (CVE-2010-4253)

It was discovered that OpenOffice.org did not correctly process TGA
images. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could execute arbitrary
code with user privileges. (CVE-2010-4643)