[Secure-testing-team] Is this patch ok (CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454)?
Petter Reinholdtsen
pere at hungry.com
Wed Jan 26 22:49:36 UTC 2011
Four CVE entries for OOo were just announced on bugtraq, and I
extracted this info from the announcement.
I'm not sure if a version number is required in the data/CVE/list
file, so I dare not commit this patch. Posting it here in the hope
that someone who do know can have a look and commit it.
The fix is in the recently released version 3.3 of OOo. No idea which
versions are affected, nor if LibreOffice is affected.
Index: list
===================================================================
--- list (revision 15980)
+++ list (working copy)
@@ -4694,14 +4694,18 @@
NOT-FOR-US: EnergyScripts Simple Download
CVE-2010-3455 (Cross-site scripting (XSS) vulnerability in index.php in AChecker 1.0 ...)
NOT-FOR-US: AChecker
-CVE-2010-3454
- RESERVED
-CVE-2010-3453
- RESERVED
-CVE-2010-3452
- RESERVED
-CVE-2010-3451
- RESERVED
+CVE-2010-3454 (Insecure pointer manipulation for parsing lists in Word documents)
+ - openoffice.org
+ NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/
+CVE-2010-3453 (Insecure pointer manipulation for parsing lists in Word documents)
+ - openoffice.org
+ NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/
+CVE-2010-3452 (Use after free for multilevel list parsing in RTF documents)
+ - openoffice.org
+ NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/
+CVE-2010-3451 (Use after free for table parsing in RTF documents)
+ - openoffice.org
+ NOTE: http://www.vsecurity.com/resources/advisory/20110126-1/
CVE-2010-3450
RESERVED
CVE-2010-3449 (Cross-site request forgery (CSRF) vulnerability in Redback before ...)
Happy hacking,
--
Petter Reinholdtsen
More information about the Secure-testing-team
mailing list