Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3; and Sun StarOffice 6, 7, and 8 Office Suite (StarSuite); allows remote attackers to execute arbitrary code via a TIFF file with crafted values of unspecified length fields, which triggers allocation of an incorrect amount of memory, resulting in a heap-based buffer overflow.

StarSuite 8 (Solaris_x86): Update 18.
Date this patch was last updated by Sun : Mar/15/11

StarOffice 8 (Solaris_x86): Update 18.
Date this patch was last updated by Sun : Mar/15/11

StarSuite 8 (Solaris): Update 18.
Date this patch was last updated by Sun : Mar/15/11

StarOffice 8 (Solaris): Update 18.
Date this patch was last updated by Sun : Mar/15/11

From Red Hat Security Advisory 2007:0848 :

Updated openoffice.org packages to correct a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program.

A heap overflow flaw was found in the TIFF parser. An attacker could create a carefully crafted document containing a malicious TIFF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if opened by a victim. (CVE-2007-2834)

All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue.

A heap overflow flaw was found in the TIFF parser. An attacker could create a carefully crafted document containing a malicious TIFF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if opened by a victim. (CVE-2007-2834)

iDefense reports :

Remote exploitation of multiple integer overflow vulnerabilities within OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code.

These vulnerabilities exist within the TIFF parsing code of the OpenOffice suite. When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow.

This update of OpenOffice_org fixes a bug in TIFF parsing code that leads to a heap overflow. (CVE-2007-2834) This bug can be exploited with user assistance to execute arbitrary code.

An integer overflow was discovered in the TIFF handling code in OpenOffice. If a user were tricked into loading a malicious TIFF image, a remote attacker could execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This security updates addresses CVE-2007-2834 a flaw in how openoffice.org handles corrupt TIFF graphic format file headers

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200710-24 (OpenOffice.org: Heap-based buffer overflow)

    iDefense Labs reported that the TIFF parsing code uses untrusted values     to calculate buffer sizes, which can lead to an integer overflow     resulting in heap-based buffer overflow.
  Impact :

    A remote attacker could entice a user to open a specially crafted     document, possibly leading to execution of arbitrary code with the     privileges of the user running OpenOffice.org.
  Workaround :

    There is no known workaround at this time.

Updated openoffice.org packages to correct a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program.

A heap overflow flaw was found in the TIFF parser. An attacker could create a carefully crafted document containing a malicious TIFF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if opened by a victim. (CVE-2007-2834)

All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue.

An integer overflow in the TIFF parser in OpenOffice.org prior to version 2.3 allows remote attackers to execute arbitrary code via a TIFF file with crafted values which triggers the allocation of an incorrect amount of memory which results in a heap-based buffer overflow.

Updated packages have been patched to prevent this issue.

A heap overflow vulnerability has been discovered in the TIFF parsing code of the OpenOffice.org suite. The parser uses untrusted values from the TIFF file to calculate the number of bytes of memory to allocate. A specially crafted TIFF image could trigger an integer overflow and subsequently a buffer overflow that could cause the execution of arbitrary code.

The remote Windows host has a program that is affected by multiple buffer overflow vulnerabilities. The remote host is running a version of OpenOffice.org that is affected by multiple integer overflows in its TIFF document parser that can be triggered when parsing tags in TIFF directory entries.  If a remote attacker can trick a user into opening a specially-crafted TIFF document, he may be able to leverage this issue to execute arbitrary code on the remote host subject to the user's privileges.

The remote host is running a version of Sun Microsystems OpenOffice.org that is affected by multiple integer overflows in its TIFF document parser that can be triggered when parsing tags in TIFF directory entries. If a remote attacker can trick a user into opening a specially crafted TIFF document, this issue can be leveraged to execute arbitrary code on the remote host subject to the user's privileges.

ID	Name	Product	Family	Severity
107858	Solaris 10 (x86) : 120190-23	Nessus	Solaris Local Security Checks	high
107857	Solaris 10 (x86) : 120186-23	Nessus	Solaris Local Security Checks	high
107356	Solaris 10 (sparc) : 120189-23	Nessus	Solaris Local Security Checks	high
107355	Solaris 10 (sparc) : 120185-23	Nessus	Solaris Local Security Checks	high
67561	Oracle Linux 3 / 4 : openoffice.org (ELSA-2007-0848)	Nessus	Oracle Linux Local Security Checks	high
60251	Scientific Linux Security Update : openoffice.org on SL5.x, SL4.x, SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
56500	FreeBSD : openoffice -- arbitrary command execution vulnerability (e595e170-6771-11dc-8be8-02e0185f8d72)	Nessus	FreeBSD Local Security Checks	high
29367	SuSE 10 Security Update : OpenOffice (ZYPP Patch Number 4320)	Nessus	SuSE Local Security Checks	high
28129	Ubuntu 6.06 LTS / 6.10 / 7.04 : openoffice.org/-amd64 vulnerability (USN-524-1)	Nessus	Ubuntu Local Security Checks	high
27771	Fedora 7 : openoffice.org-2.2.1-18.2.fc7 (2007-2372)	Nessus	Fedora Local Security Checks	high
27556	GLSA-200710-24 : OpenOffice.org: Heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high
27140	openSUSE 10 Security Update : OpenOffice_org (OpenOffice_org-4319)	Nessus	SuSE Local Security Checks	high
26109	RHEL 3 / 4 / 5 : openoffice.org (RHSA-2007:0848)	Nessus	Red Hat Local Security Checks	high
26106	Mandrake Linux Security Advisory : openoffice.org (MDKSA-2007:186)	Nessus	Mandriva Local Security Checks	high
26082	Fedora Core 6 : openoffice.org-2.0.4-5.5.24 (2007-700)	Nessus	Fedora Local Security Checks	high
26078	Debian DSA-1375-1 : openoffice.org - buffer overflow	Nessus	Debian Local Security Checks	high
26074	CentOS 3 / 4 / 5 : openoffice.org (CESA-2007:0848)	Nessus	CentOS Local Security Checks	high
4216	OpenOffice < 2.3 TIFF Parser Multiple Overflows	Nessus Network Monitor	Generic	medium
26064	Sun OpenOffice.org < 2.3 TIFF Parser Buffer Overflow Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2007-2834

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

high