AusCERT - ESB-2009.1668 - [UNIX/Linux][Mandriva] koffice: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2009.1668 - [UNIX/Linux][Mandriva] koffice: Multiple vulnerabilities
Date: 22 December 2009
References: ESB-2009.1470 ESB-2009.1513 ESB-2010.0317

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1668
                   Vulnerabilities identified in koffice
                             22 December 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          koffice
Publisher:        Mandriva
Operating System: Mandriva Linux
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User ytayInteraction
                  Denial of Service               -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2009-3609 CVE-2009-3606 

Reference:        ESB-2009.1513
                  ESB-2009.1470

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Mandriva. It is recommended that administrators
         running koffice check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:336
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : koffice
 Date    : December 17, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities have been discovered and fixed in pdf
 processing code embedded in koffice package (CVE-2009-3606 and
 CVE-2009-3609).
 
 This update fixes these vulnerabilities.
 
 Packages for 2008.0 are being provided due to extended support for
 Corporate products.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 07cc3430d0e670a37a58c007ab929d5b  2008.0/i586/koffice-1.6.3-9.3mdv2008.0.i586.rpm
 ee7e4a828814a36bb7a400c0458ef9f7  2008.0/i586/koffice-karbon-1.6.3-9.3mdv2008.0.i586.rpm
 fe0a53cd2cc05f900b6b588d4b0f3b18  2008.0/i586/koffice-kexi-1.6.3-9.3mdv2008.0.i586.rpm
 bbeafac90a9fca25fbbcc4939d52c21d  2008.0/i586/koffice-kformula-1.6.3-9.3mdv2008.0.i586.rpm
 d4d0c1c317e2d915938270fa85bd1a59  2008.0/i586/koffice-kivio-1.6.3-9.3mdv2008.0.i586.rpm
 8cdfed722bc72d5b1a43ddd7590b0c38  2008.0/i586/koffice-koshell-1.6.3-9.3mdv2008.0.i586.rpm
 238c4a8b527a0f4920752a8b296c09a8  2008.0/i586/koffice-kplato-1.6.3-9.3mdv2008.0.i586.rpm
 82581539e3f98cb8dbabfaf5bf7d5f61  2008.0/i586/koffice-kpresenter-1.6.3-9.3mdv2008.0.i586.rpm
 2ad7c4c5ac604d3fe423872c530f9898  2008.0/i586/koffice-krita-1.6.3-9.3mdv2008.0.i586.rpm
 9b8963aa3d0537132820340e33f5ea98  2008.0/i586/koffice-kspread-1.6.3-9.3mdv2008.0.i586.rpm
 658ff75bc9fbeeda75b6fc358d691705  2008.0/i586/koffice-kugar-1.6.3-9.3mdv2008.0.i586.rpm
 575e4041f7e7aa270686218886dd0b3a  2008.0/i586/koffice-kword-1.6.3-9.3mdv2008.0.i586.rpm
 b5fa6cd39b7e3913d02082812e96872a  2008.0/i586/koffice-progs-1.6.3-9.3mdv2008.0.i586.rpm
 9ad6986af1241ddad3342e7ebe3a6bd0  2008.0/i586/libkoffice2-karbon-1.6.3-9.3mdv2008.0.i586.rpm
 37268f938e671a9fa31ed2c34478763b  2008.0/i586/libkoffice2-karbon-devel-1.6.3-9.3mdv2008.0.i586.rpm
 d4fd910879f3dfe158672dd7dcb645fc  2008.0/i586/libkoffice2-kexi-1.6.3-9.3mdv2008.0.i586.rpm
 30807f6231760e395752071bc50e0fa7  2008.0/i586/libkoffice2-kexi-devel-1.6.3-9.3mdv2008.0.i586.rpm
 c33624080c6e54e392674c8b2d3ea79a  2008.0/i586/libkoffice2-kformula-1.6.3-9.3mdv2008.0.i586.rpm
 238703e8f0837e63103b076da9faa8c3  2008.0/i586/libkoffice2-kformula-devel-1.6.3-9.3mdv2008.0.i586.rpm
 299cd67d08c5729bf41a7061bc6d5fe7  2008.0/i586/libkoffice2-kivio-1.6.3-9.3mdv2008.0.i586.rpm
 8a416555cc66dba5fe507a8c465f5fb6  2008.0/i586/libkoffice2-kivio-devel-1.6.3-9.3mdv2008.0.i586.rpm
 4503123a95710d08582fce37ffa8b8c2  2008.0/i586/libkoffice2-koshell-1.6.3-9.3mdv2008.0.i586.rpm
 380c1a1e1141c87f8c275b329356cf42  2008.0/i586/libkoffice2-kplato-1.6.3-9.3mdv2008.0.i586.rpm
 c0ad60018beb0b59a99074c8e3a075a9  2008.0/i586/libkoffice2-kpresenter-1.6.3-9.3mdv2008.0.i586.rpm
 7de150e73ac4cc2216d1add2788d9f85  2008.0/i586/libkoffice2-kpresenter-devel-1.6.3-9.3mdv2008.0.i586.rpm
 99acb4bbf847aa32eee96c27672874bd  2008.0/i586/libkoffice2-krita-1.6.3-9.3mdv2008.0.i586.rpm
 9d7a401cb148d7b2ef2e536c6b34d0d1  2008.0/i586/libkoffice2-krita-devel-1.6.3-9.3mdv2008.0.i586.rpm
 45e3d950e1ab98205249ef8c50ae3fc0  2008.0/i586/libkoffice2-kspread-1.6.3-9.3mdv2008.0.i586.rpm
 bc7c6671a2221ddc6d75c3a9ebed2b23  2008.0/i586/libkoffice2-kspread-devel-1.6.3-9.3mdv2008.0.i586.rpm
 7b90f78305c286e0b405c60717c14812  2008.0/i586/libkoffice2-kugar-1.6.3-9.3mdv2008.0.i586.rpm
 475c20d63a1ba1a31dbab9f9e19453e2  2008.0/i586/libkoffice2-kugar-devel-1.6.3-9.3mdv2008.0.i586.rpm
 fc3a18ba90ddd0dd2c99d81ea41f0789  2008.0/i586/libkoffice2-kword-1.6.3-9.3mdv2008.0.i586.rpm
 78b5df25330d89601148f64ac1f8680b  2008.0/i586/libkoffice2-kword-devel-1.6.3-9.3mdv2008.0.i586.rpm
 235e37a1a1539d7d6d8a7b064f36617a  2008.0/i586/libkoffice2-progs-1.6.3-9.3mdv2008.0.i586.rpm
 ac0c29b303e7ab57f4bed255dc2e06d2  2008.0/i586/libkoffice2-progs-devel-1.6.3-9.3mdv2008.0.i586.rpm 
 d69ebcb65b4c3718c22cc32e8c07d38f  2008.0/SRPMS/koffice-1.6.3-9.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 02f638e0c27b82b4cefe88551ec97e42  2008.0/x86_64/koffice-1.6.3-9.3mdv2008.0.x86_64.rpm
 82af7dfad84480599aeec60574aa4a0c  2008.0/x86_64/koffice-karbon-1.6.3-9.3mdv2008.0.x86_64.rpm
 01f4f44a2743bbf553ba32aa04149286  2008.0/x86_64/koffice-kexi-1.6.3-9.3mdv2008.0.x86_64.rpm
 b5447a90a349030cfee1b1fc248ad772  2008.0/x86_64/koffice-kformula-1.6.3-9.3mdv2008.0.x86_64.rpm
 c52ace63530c59e4488025a22fc02616  2008.0/x86_64/koffice-kivio-1.6.3-9.3mdv2008.0.x86_64.rpm
 d95f4158980fa62480524b0016419dff  2008.0/x86_64/koffice-koshell-1.6.3-9.3mdv2008.0.x86_64.rpm
 70f7d2a37f18d5901dcaaa49dd4d34fc  2008.0/x86_64/koffice-kplato-1.6.3-9.3mdv2008.0.x86_64.rpm
 cb1ecfb60a39e62d004e9213767c3a94  2008.0/x86_64/koffice-kpresenter-1.6.3-9.3mdv2008.0.x86_64.rpm
 3897f0a9020a4e0366cc3b44ca27839d  2008.0/x86_64/koffice-krita-1.6.3-9.3mdv2008.0.x86_64.rpm
 2d0d2bbcdada8101d6b89c85024f7f07  2008.0/x86_64/koffice-kspread-1.6.3-9.3mdv2008.0.x86_64.rpm
 cc83a4dd2db2a637dc8314e127f09d2e  2008.0/x86_64/koffice-kugar-1.6.3-9.3mdv2008.0.x86_64.rpm
 f698e9e0c0f047e0a8d5e7bac1a0f900  2008.0/x86_64/koffice-kword-1.6.3-9.3mdv2008.0.x86_64.rpm
 b1ad8180f375d5d0805cfb09984bb3c2  2008.0/x86_64/koffice-progs-1.6.3-9.3mdv2008.0.x86_64.rpm
 0d2d26ca9ee19f636e60a711c6c9b202  2008.0/x86_64/lib64koffice2-karbon-1.6.3-9.3mdv2008.0.x86_64.rpm
 5ad50a56b9e73ae416ee1a29cadbe776  2008.0/x86_64/lib64koffice2-karbon-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 8183880fc70c64beb53928c837c4ba06  2008.0/x86_64/lib64koffice2-kexi-1.6.3-9.3mdv2008.0.x86_64.rpm
 29dc029530ba0dbfe60d030423a4918b  2008.0/x86_64/lib64koffice2-kexi-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 2408b140905098e017aa7174f0300558  2008.0/x86_64/lib64koffice2-kformula-1.6.3-9.3mdv2008.0.x86_64.rpm
 f40dbee3c588dc3b5517f4dc814e0b17  2008.0/x86_64/lib64koffice2-kformula-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 d515dbec3b38565da435ab8076677953  2008.0/x86_64/lib64koffice2-kivio-1.6.3-9.3mdv2008.0.x86_64.rpm
 48b91f88ce8d4bb4271069438af0d047  2008.0/x86_64/lib64koffice2-kivio-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 78de3c4ca95ad2f559a229174c0e73a9  2008.0/x86_64/lib64koffice2-koshell-1.6.3-9.3mdv2008.0.x86_64.rpm
 1d19f6bac268d70519c09dd92b1c1e88  2008.0/x86_64/lib64koffice2-kplato-1.6.3-9.3mdv2008.0.x86_64.rpm
 a34f49f1d4aa726e44b06d9a8c971b66  2008.0/x86_64/lib64koffice2-kpresenter-1.6.3-9.3mdv2008.0.x86_64.rpm
 8620dee6090f1f558e990dfcc0545492  2008.0/x86_64/lib64koffice2-kpresenter-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 afb2e7f351760b199ae851d846b9cd5e  2008.0/x86_64/lib64koffice2-krita-1.6.3-9.3mdv2008.0.x86_64.rpm
 63386a61b6fbd683bfc0ea1caf1141fe  2008.0/x86_64/lib64koffice2-krita-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 54499f2e10266d9064d956cae723e416  2008.0/x86_64/lib64koffice2-kspread-1.6.3-9.3mdv2008.0.x86_64.rpm
 b90bb5270de5a1c3f321b8f479a658f5  2008.0/x86_64/lib64koffice2-kspread-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 d0201818fd21f73dfff36037581d6729  2008.0/x86_64/lib64koffice2-kugar-1.6.3-9.3mdv2008.0.x86_64.rpm
 408c06d5a8b0ce93a9ca7878c08b1853  2008.0/x86_64/lib64koffice2-kugar-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 2af69583190e0e9742a83789d1190790  2008.0/x86_64/lib64koffice2-kword-1.6.3-9.3mdv2008.0.x86_64.rpm
 e24607d6e27ed7c5c7e8bde7fc035111  2008.0/x86_64/lib64koffice2-kword-devel-1.6.3-9.3mdv2008.0.x86_64.rpm
 b4828671b9831a2ab648b6543f21107e  2008.0/x86_64/lib64koffice2-progs-1.6.3-9.3mdv2008.0.x86_64.rpm
 031d6a9a1cdd42a5920374cdf94ccaac  2008.0/x86_64/lib64koffice2-progs-devel-1.6.3-9.3mdv2008.0.x86_64.rpm 
 d69ebcb65b4c3718c22cc32e8c07d38f  2008.0/SRPMS/koffice-1.6.3-9.3mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLKqD9mqjQ0CJFipgRAr8VAKCQS6a2whK9tC9m4aoGmNUMM3P26ACgyue+
UwD+FTPTViwBP2obIZwUBYQ=
=lSgW
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLMAK8NVH5XJJInbgRAqnGAJ4znesgJ8nalALDNG1VhcrQsVK15gCfR4KK
3RHhapKRdCgANuqXPd9EXag=
=UB8i
-----END PGP SIGNATURE-----