Date: 07 July 2006
References: ESB-2006.0439
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2006.0025 - [Debian]
Revised Debian OpenOffice.org update fixes arbitrary code execution
7 July 2006
AusCERT Update Summary
----------------------
Product: openoffice.org
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-3117
Ref: ESB-2006.0439
Original Bulletin: http://www.debian.org/security/2006/dsa-1104
Comment: The XML document handling vulnerability (CVE-2006-3117) was
not fully fixed by the previous Debian update for OpenOffice.org.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1104-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 6th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : openoffice.org
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-3117
Loading malformed XML documents can cause buffer overflows in
OpenOffice.org, a free office suite, and cause a denial of service or
execute arbitrary code. It turned out that the correction in DSA
1104-1 was not sufficient, hence, another update.
The old stable distribution (woody) does not contain OpenOffice.org
packages.
For the stable distribution (sarge) this problem has been fixed in
version 1.1.3-9sarge3.
For the unstable distribution (sid) this problem has been fixed in
version 2.0.3-1.
We recommend that you upgrade your OpenOffice.org packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.dsc
Size/MD5 checksum: 2878 d4c38e6f466931c04bba4d2cea73a3e5
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3.diff.gz
Size/MD5 checksum: 4625079 30b33df9655dda05a892d32db462aa92
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz
Size/MD5 checksum: 166568714 5250574bad9906b38ce032d04b765772
Architecture independent components:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2648380 f6ac339b028343125144673bc2a7c1ed
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2695816 0d1711358eb05ee82d65c00f06e7fbaf
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2692590 1b7bd179a49d6b97b976ca3a1354c0f5
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3587658 b66df13ff4fc5d639e922aebaa050ac1
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2664526 fbd308813c7f8e24b542b436f2cee8e7
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3584150 c56619c9d118293e6985a5af571fb319
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3454910 3e8f6928f1bc2c90a457dbee15b16bf4
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2742650 caa4e264e4b82688db86b4819a1a013a
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3526732 b21221309f66f41fd17d8b1515b607a6
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3563116 24df087401b004b1afb0dd45bdc563be
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2646256 eb6915efbba41167d528cb4975cbb241
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-eu_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2670092 adab178e6c264d2cb09af0d4f09ba0f9
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fi_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2674922 7058d664951875ce398dc989b85b7294
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-fr_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3495804 d57a92a46ab0209939460431ed32a664
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-gl_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2658900 2a8ea6deb45a39a182e21c71b54d1d35
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-he_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2661098 5f4c271221a1a38d796505dc8f7137d2
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hi_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2696758 19af8f30892088ad8c07d449efcfcda3
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-hu_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2772322 9f445569e50a87e219e8d0ca8b083fd9
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-it_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3557058 3e70af8dacb501b640ebe57bfc518526
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ja_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3564588 e2cc7fbf12101b937f3ee63b99c6d25f
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-kn_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2686258 024c5c9bf4221beaa532f89503aee312
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ko_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3541012 9780952133a274ec0b58a13a133cdecc
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-lt_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2673582 297bee70f7a4866fb23aedcd9cf4e1ed
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nb_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2665430 ae63bc02b6e05e48a446586b63cca1f9
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nl_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3561446 55e249208385bc7aa73590b7296b8469
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-nn_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2665430 28b1a01210eeb70aba55994ccca15525
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ns_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2667370 38fd5b158b3bf05e6d4fc4f92923be3c
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pl_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3240708 577c27b929aa80dc0e711380ae4898e3
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt-br_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3527510 c82fb2d7a8fe81cad1b1d119f8c0ef92
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-pt_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3163844 130cc0a865f7705ccd7ef924cb6dc2e2
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-ru_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3332966 e88104c59b70703dcd5b25db8af8a4a4
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sk_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3604558 25cb5a34e29429c823b0aafc17c05c45
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sl_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3600370 0ecde6752ba79a93518b49ad24ce3015
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-sv_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3543684 202d56e797ef44fae4fb1fbc76bbf63e
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-th_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2689600 7bb72f60492fb2190778452259cebbed
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tn_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2652418 da5b0444bf01b2a2699096e271e16b4c
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-tr_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2894960 5a841f354a48a9459d4e56352e49987f
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-cn_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3553834 88f8e27329f02b1aa0c25ae345cf6e0b
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zh-tw_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3549306 835854594b30a38edb137f29248c799c
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-l10n-zu_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 2673242 8be34f68a30420bf52410892f2df62a9
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-mimelnk_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 67226 2273e04fcf529f1f84bbc42f80a3688f
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-thesaurus-en-us_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 3131070 947a11b15c031d1bb33c92d6c3643924
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 6852240 2d1decf22f9be4fb21f9139ed1e6c56e
http://security.debian.org/pool/updates/main/o/openoffice.org/ttf-opensymbol_1.1.3-9sarge3_all.deb
Size/MD5 checksum: 137166 dc75ad0ae88990d12fdd494052ca3b3b
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_i386.deb
Size/MD5 checksum: 41472986 668498b6363046ae01af48f451292c97
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_i386.deb
Size/MD5 checksum: 1858712 cabdc55e6b936feee486b2b15ebe370e
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_i386.deb
Size/MD5 checksum: 164478 70505eb137ed891dac0d2586189f6aab
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_i386.deb
Size/MD5 checksum: 160060 88257ae2b15f11b6d996f8cb38057a1e
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_i386.deb
Size/MD5 checksum: 144096 6268854159cc5408e1aba9241f528da9
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_powerpc.deb
Size/MD5 checksum: 39929050 6b697b4b36d84d86795bd15557925b1c
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_powerpc.deb
Size/MD5 checksum: 1865570 6a90926bbb20b639c8938ff5e8e3c4e6
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_powerpc.deb
Size/MD5 checksum: 161522 f5002091dab131401daf9e9671ac3e2d
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_powerpc.deb
Size/MD5 checksum: 158756 8815d8094bbcb3731675eeef16c5d082
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_powerpc.deb
Size/MD5 checksum: 142256 d9ec1b5c84c1fe03061dc96afc7bfa45
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_s390.deb
Size/MD5 checksum: 42753292 2d967320b1d629e5400b318f230363c8
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_s390.deb
Size/MD5 checksum: 1852916 c529a2ab155b8070d7a0b0c4a16ce4c0
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_s390.deb
Size/MD5 checksum: 166770 b1ed7f10ab03320cc7f29468dc644c04
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_s390.deb
Size/MD5 checksum: 166640 0d72ad7d0f18d11baff5a16f7b257b9d
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_s390.deb
Size/MD5 checksum: 145274 45b22dd4f8513bfc967ba6917e525a9d
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-bin_1.1.3-9sarge3_sparc.deb
Size/MD5 checksum: 47625418 94aeb50ab843d90f08864764323b78d0
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-dev_1.1.3-9sarge3_sparc.deb
Size/MD5 checksum: 1847642 1c7c275b12ee21cf09c1bef408699aad
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-evolution_1.1.3-9sarge3_sparc.deb
Size/MD5 checksum: 198122 cba2c9a9f441f9bda7efca03a86390ed
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-gtk-gnome_1.1.3-9sarge3_sparc.deb
Size/MD5 checksum: 182598 10795093b9549216d634124df90b9e81
http://security.debian.org/pool/updates/main/o/openoffice.org/openoffice.org-kde_1.1.3-9sarge3_sparc.deb
Size/MD5 checksum: 164870 7d4919bb3431df53c0cb9a0708bdc728
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErQBwW5ql+IAeqTIRAu1fAKCheDQF1ryqD/5RAV2aC0LjWJVaNACdG3Z+
xmpGQne9VHfOKVeEH8/nun8=
=6MZN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRK4KrCh9+71yA2DNAQLgPQP+OaIWRuzHinOAq0nEHpbN+yKYZFqO3nEU
JrzqOOP/BpfMNBmWBaYpJHLuRSSMjtzc1++d0D00fKG2BbKjCQ4I867g+O+TiBN2
AzDClpnr7xOM5N6xXLN09gcJa4m654FHucxi4ZvCwqeMdpTFMp1JARTy/uxjR1iq
5BznQ12qiJ8=
=V7pS
-----END PGP SIGNATURE-----
|