oss-security - Re: OpenOffice.org CVE-2009-2139

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <Pine.GSO.4.51.0909211440090.23430@faron.mitre.org>
Date: Mon, 21 Sep 2009 14:42:20 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Thomas Biege <thomas@...e.de>
cc: oss-security@...ts.openwall.com
Subject: Re: OpenOffice.org CVE-2009-2139

On Thu, 10 Sep 2009, Thomas Biege wrote:

> CVE-2009-2139
>
> Manipulated EMF files can lead to heap overflows and arbitrary code
> execution
>
>     * Synopsis: Manipulated EMF files can lead to heap overflows and
>                 arbitrary code execution
>     * State: Resolved

We recently created CVE-2009-3239 to address an OpenOffice overflow in
enhwmf.cxx/emfplus.cxx, as described in SUSE-SR:2009:015:

  "This update of OpenOffice.org fixes potential buffer overflow in EMF
   parser code (enhwmf.cxx, emfplus.cxx)."

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

Is CVE-2009-3239 a duplicate of CVE-2009-2139?

(If so, we would probably keep CVE-2009-2139 and remove CVE-2009-3239.)

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.