oss-sec mailing list archives
Re: CVE Request -- openoffice.org (CVE-2008-4841)
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 22 Jan 2009 17:27:52 -0500 (EST)
On Wed, 21 Jan 2009, Jan Lieskovsky wrote:
What's the strategy in this case -- will we need a new CVE-2008 id for this issue && the openoffice.org1 case? (And if so, could you allocate one?)
A new one is needed since (I assume) it's not a shared codebase between Microsoft and the Linux distros. A 2009 number is being used since the announcement for this particular product was made in 2009. Consider buffer overflows in FTP servers with a long username - same exact bug, but at least 20 different implementations have been hit with it so far. Use CVE-2009-0259 - Steve ====================================================== Name: CVE-2009-0259 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0259 Reference: MILW0RM:6560 Reference: URL:http://www.milw0rm.com/exploits/6560 Reference: MISC:http://milw0rm.com/sploits/2008-crash.doc.rar Reference: MLIST:[oss-security] 20090121 CVE Request -- openoffice.org (CVE-2008-4841) Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/9 The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remnote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841.
Current thread:
- CVE Request -- openoffice.org (CVE-2008-4841) Jan Lieskovsky (Jan 21)
- Re: CVE Request -- openoffice.org (CVE-2008-4841) Steven M. Christey (Jan 22)