Loading malformed XML documents can cause buffer overflows in
OpenOffice.org, a free office suite, and cause a denial of service or
execute arbitrary code. Â It turned out that the correction in DSA
1104-1 was not sufficient, hence, another update. For completeness
please find the original advisory text below:
>
> Several vulnerabilities have been discovered in OpenOffice.org, a free
> office suite. The Common Vulnerabilities and Exposures Project
> identifies the following problems:
>
>
> * CVE-2006-2198
> It turned out to be possible to embed arbitrary BASIC macros in
> documents in a way that OpenOffice.org does not see them but
> executes them anyway without any user interaction.
> * CVE-2006-2199
> It is possible to evade the Java sandbox with specially crafted
> Java applets.
> * CVE-2006-3117
> Loading malformed XML documents can cause buffer overflows and
> cause a denial of service or execute arbitrary code.
>
>
> This update has the Mozilla component disabled, so that the
> Mozilla/LDAP addressbook feature won’t work anymore. It didn’t work on
> anything else than i386 on sarge either.
>
>
>
The old stable distribution (woody) does not contain OpenOffice.org
packages.
For the stable distribution (sarge) this problem has been fixed in
version 1.1.3-9sarge3.
For the unstable distribution (sid) this problem has been fixed in
version 2.0.3-1.
We recommend that you upgrade your OpenOffice.org packages.