OpenOffice has updated its productivity suite to patch two flaws that could lead to arbitrary code execution.
OpenOffice.org is commonly found on Linux netbooks and is Ubuntu's standard spreadsheet, word processor, database and presentation package.
The flaws affect all versions of OpenOffice.org prior to 2.4.2. One flaw, detailed in security alert CVE-2008-2237, lies in the way OpenOffice 2.x processes WMF files. The other flaw, detailed in CVE-2008-2238, is due to the way OpenOffice 2.x processes EMF files.
Both vulnerabilities may allow a remote unprivileged user who tricks a local user into opening a manipulated a StarOffice or StarSuite document to execute arbitrary commands on the system. No working exploit is known at the moment for either flaw.
Some netbook makers have turned to OpenOffice's productivity applications for inclusion on models powered by Linux. The Asus Eee comes with OpenOffice 2.0 and both Acer's Aspire One and Everex's Cloudbook come with version 2.3.
There are no workarounds. Both issues are addressed in OpenOffice.org 2.4.2. OpenOffice.org 3.0 is not affected by these vulnerabilities.