On 11/20/2011 07:26 AM, Volker Merschmann wrote: > Hi, > > 2011/11/20 Miyoshi Omori <miyoshi.om...@gmail.com>: >> Hello, >> My request is about information security. >> >> Security issues have already been announced as, CVE-2011-2713 >> corresponds to a comment. >> TDF as information, but said that it had been made LibreOffice >> 3.4.3 and 3.3.4 fixed. >> According to NIST report >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713, >> 3.3.4 is classified as a vulnerable version on this security issue. >> If it is incorrect, could you formally request a modification of >> information as TDF. >> As a user, it is also a serious problem. > > Thanks for reporting, I also think the information about 3.3.4 is > incorrect there. > > Your mail has been forwarded to the security team. > > > Volker > >
https://bugzilla.redhat.com/show_bug.cgi?id=725668 [(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC sprm parser] Status: CLOSED NOTABUG https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14 <quote> Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT It initially appeared that this flaw may be exploitable similar to CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However in the case of this particular flaw, the junk data read is just parsed into an internal representation of properties and the maximum harm this should cause in application crash (Denial Of Service). Timeline: - Reported to securityt...@openoffice.org on 25-July-2011 - Recieved a reply (with tdf-secur...@lists.documentfoundation.org copied) on the same date - Release date changed with a few delays in between - Release on 5-Oct-2011 Statement: This issue results in an OOB read which is not exploitable for arbitrary code execution and can simply cause a crash. We do not consider this as a security issue. </quote> -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
