CVE-2012-2149

OpenOffice.org memory overwrite vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

• OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
• Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a memory overwrite vulnerability that could be exploited by a specially crafted Wordperfect WPD-format document, potentially leading to arbitrary-code execution at application user privilege level.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users are advised to upgrade to Apache OpenOffice 3.4, where WPD files are ignored. Users who are unable to upgrade immediately should be cautious when opening untrusted WPD documents.

Credits

The Apache OpenOffice Security Team acknowledges Kestutis Gudinavicius of SEC Consult Unternehmensberatung GmbH as the discoverer of this flaw.

---

Security Home -> Bulletin -> CVE-2012-2149