OpenOffice patches file-processing flaws

An update to the productivity suite, found on the Asus Eee and other netbooks, has been issued to fix two problems that could let outsiders in

OpenOffice has updated its productivity suite to patch two flaws that could lead to arbitrary code execution. is commonly found on Linux netbooks and is Ubuntu's standard spreadsheet, word processor, database and presentation package.

The flaws affect all versions of prior to 2.4.2. One flaw, detailed in security alert CVE-2008-2237, lies in the way OpenOffice 2.x processes WMF files. The other flaw, detailed in CVE-2008-2238, is due to the way OpenOffice 2.x processes EMF files.

Both vulnerabilities may allow a remote unprivileged user who tricks a local user into opening a manipulated a StarOffice or StarSuite document to execute arbitrary commands on the system. No working exploit is known at the moment for either flaw.

Some netbook makers have turned to OpenOffice's productivity applications for inclusion on models powered by Linux. The Asus Eee comes with OpenOffice 2.0 and both Acer's Aspire One and Everex's Cloudbook come with version 2.3.

There are no workarounds. Both issues are addressed in 2.4.2. 3.0 is not affected by these vulnerabilities.

Show Comments