On 11/20/2011 07:26 AM, Volker Merschmann wrote: > Hi, > > 2011/11/20 Miyoshi Omori <[email protected]>: >> Hello, >> My request is about information security. >> >> Security issues have already been announced as, CVE-2011-2713 >> corresponds to a comment. >> TDF as information, but said that it had been made LibreOffice >> 3.4.3 and 3.3.4 fixed. >> According to NIST report >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713, >> 3.3.4 is classified as a vulnerable version on this security issue. >> If it is incorrect, could you formally request a modification of >> information as TDF. >> As a user, it is also a serious problem. > > Thanks for reporting, I also think the information about 3.3.4 is > incorrect there. > > Your mail has been forwarded to the security team. > > > Volker > >
https://bugzilla.redhat.com/show_bug.cgi?id=725668 [(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC sprm parser] Status: CLOSED NOTABUG https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14 <quote> Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT It initially appeared that this flaw may be exploitable similar to CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However in the case of this particular flaw, the junk data read is just parsed into an internal representation of properties and the maximum harm this should cause in application crash (Denial Of Service). Timeline: - Reported to [email protected] on 25-July-2011 - Recieved a reply (with [email protected] copied) on the same date - Release date changed with a few delays in between - Release on 5-Oct-2011 Statement: This issue results in an OOB read which is not exploitable for arbitrary code execution and can simply cause a crash. We do not consider this as a security issue. </quote> -- Unsubscribe instructions: E-mail to [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
