Apache OpenOffice 内存损坏漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166872 漏洞类型 缓冲区溢出
发布时间 2013-07-26 更新时间 2013-07-26
CVE编号 CVE-2013-2189 CNNVD-ID CNNVD-201307-578
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/61465
https://cxsecurity.com/issue/WLB-2013070213
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-578
|漏洞详情
OpenOffice.org(OOo)是美国阿帕奇(Apache)软件基金会的一款开源的办公软件套件。该套件包含文本文档、电子表格、演示文稿、绘图、数据库等。ApacheOOo3.4.0至3.4.1之前的版本中存在内存损坏漏洞,该漏洞源于当解析畸形的DOC文档文件时处理无效的PLCF(PlexofCharacterPositionsinFile)数据。远程攻击者可利用该漏洞造成拒绝服务(内存损坏)或产生其他影响。
|漏洞EXP
CVE-2013-2189
OpenOffice DOC Memory Corruption Vulnerability

Severity: Important
Vendor: The Apache Software Foundation

Versions Affected:
     Apache OpenOffice 3.4.0 to 3.4.1 on all platforms.
     Predecessor versions of OpenOffice.org may be also affected.

Description:

     The vulnerability is caused by operating on invalid PLCF (Plex of
Character Positions in File) data when parsing a malformed DOC document
file. Specially crafted documents can be used for denial-of-service
attacks. Further exploits are possible but have not been verified.

Mitigation:

     Apache OpenOffice 3.4 users are advised to upgrade to Apache
OpenOffice 4.0. Users who are unable to upgrade immediately should be
cautious when opening untrusted documents.

Credits:

     The Apache OpenOffice Security Team credits Jeremy Brown of
Microsoft Vulnerability Research as the discoverer of this flaw.

Herbert Drr
Member of the Apache OpenOffice Security Team
|参考资料

来源:www.openoffice.org
链接:http://www.openoffice.org/security/cves/CVE-2013-2189.html
来源:BUGTRAQ
名称:20130726CVE-2013-2189:OpenOfficeDOCMemoryCorruptionVulnerability
链接:http://seclists.org/bugtraq/2013/Jul/173
来源:OSVDB
名称:95704
链接:http://osvdb.org/95704
来源:BID
名称:61465
链接:http://www.securityfocus.com/bid/61465