There's a short analysis from Josh Bressers if you look on this URL. Here's what he said:
This looks like it's an integer overflow that's then crashing on when memset tries to write lots of zeros onto the heap.
The memset at line 2302 tries to write 3523215364 zeros onto the heap at the location of pPLCF_PosArray.
I don't see this exploitable beyond a DoS given the codepath here. If someone else could take a look and agree or disagree with me I would appreciate it.
Well, i have issued a bug in OOo's Bug Tracker (#72641 which is now marked duplicate since there is another issue which is the same, #72614). I hope it can be fixed before the release date of OpenOffice.org 2.2 which will be rolled out in 27 February 2007 (according to OpenOffice.org 2.2 Release Schedule) It's been fixed now and there's an update for that (See below). Luckily, this flaw is not as severe as in MS Office. OOo does crashed, but not harming your system at all.
As for temporary solution is not to open a doc file from someone you don't know.
Update (20 Dec 2006 7:41 AM): OOo Security team has clarified that this issue has been fixed and a patch is available from #72614 issue tracker (only less than 4 days to fix this bug). Those who would like to have an update immediately, please download the latest OOo build with patches in this URL.
Update (21 Dec 2006 7:41 AM): Windows build which includes the fixes are now available also from the above URL.
Also i add some new resources related to this bug:
- Malte Timmermann's Blog
- OOo's patch
- Issue #72614
- FrSIRT
No comments:
Post a Comment