[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] OpenOffice.org CVE-2009-2139
From:       Marcus Meissner <meissner () suse ! de>
Date:       2009-09-22 15:47:11
Message-ID: 20090922154711.GC13655 () suse ! de
[Download RAW message or body]

On Mon, Sep 21, 2009 at 02:42:20PM -0400, Steven M. Christey wrote:
>
> On Thu, 10 Sep 2009, Thomas Biege wrote:
>
> > CVE-2009-2139
> >
> > Manipulated EMF files can lead to heap overflows and arbitrary code
> > execution
> >
> >     * Synopsis: Manipulated EMF files can lead to heap overflows and
> >                 arbitrary code execution
> >     * State: Resolved
>
> We recently created CVE-2009-3239 to address an OpenOffice overflow in
> enhwmf.cxx/emfplus.cxx, as described in SUSE-SR:2009:015:
>
>   "This update of OpenOffice.org fixes potential buffer overflow in EMF
>    parser code (enhwmf.cxx, emfplus.cxx)."
>
> http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
>
> Is CVE-2009-3239 a duplicate of CVE-2009-2139?
>
> (If so, we would probably keep CVE-2009-2139 and remove CVE-2009-3239.)


Our text actually references the issues CVE-2009-2139 and CVE-2009-2140
but did not specify them due to an oversight.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2140

Both are go-ooo.org build specific issues.

Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]