REDHAT-BUG-458056
First published: Wed Aug 06 2008(Updated: )
It was discovered, that OpenOffice.org memory allocator is not 64bit clean. rtl_allocateMemory() function in sal/rtl/source/alloc_global.c accepts one argument - sal_Size n. On 64bit platforms such as x86_64, sal_Size is defined as unsigned long int. This requested memory chunk size is later memory aligned as size (type sal_Size). size is later used to calculate int index to g_alloc_table[] array: int index = (size - 1) >> RTL_MEMALIGN_SHIFT; However, as sizeof(int) == 4 and sizeof(sal_Size) == 8 on 64bit platforms, the calculated value may not fit into index (this can happen when rtl_allocateMemory() is called with large argument, e.g. when some other flaw causes OpenOffice to attempt to allocate chunk of memory with negative size, which wraps to large positive value during signed -> unsigned type conversion, such as [1]). Value stored in the index is wrapped / truncated, possibly resulting in the index being negative. Before index is used, it is checked not to exceed fixed upper limit, but it's not checked whether its value is >= 0: if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT) Negative index used in g_alloc_table[index] will cause OpenOffice to access memory outside of the g_alloc_table[] array. This may result it crash, or if that points to an attacker controlled memory, attacker may possibly be able to use this flaw to run arbitrary code. [1] <a href="http://www.openoffice.org/issues/show_bug.cgi?id=91818">http://www.openoffice.org/issues/show_bug.cgi?id=91818</a> <a href="http://scary.beasts.org/security/CESA-2008-006.html">http://scary.beasts.org/security/CESA-2008-006.html</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache OpenOffice |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openoffice.org/issues/show_bug.cgi?id=91818
- http://scary.beasts.org/security/CESA-2008-006.html
- http://www.openoffice.org/issues/show_bug.cgi?id=92217
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=455867
- http://rhn.redhat.com/errata/RHSA-2008-0835.html
- https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7531
- https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7680
- https://bugzilla.redhat.com/show_bug.cgi?id=458056
Frequently Asked Questions
What is the severity of REDHAT-BUG-458056?
The severity of REDHAT-BUG-458056 is considered high due to potential memory allocation issues on 64-bit platforms.
How does REDHAT-BUG-458056 affect OpenOffice.org?
REDHAT-BUG-458056 affects OpenOffice.org by leading to incorrect memory allocation, which may cause application instability.
How do I fix REDHAT-BUG-458056?
To fix REDHAT-BUG-458056, ensure you are using the latest patched version of Apache OpenOffice provided by the vendor.
What versions of OpenOffice are affected by REDHAT-BUG-458056?
REDHAT-BUG-458056 affects all versions of Apache OpenOffice that utilize the vulnerable memory allocation function.
Is there a workaround for REDHAT-BUG-458056?
Currently, there are no well-documented workarounds for REDHAT-BUG-458056 other than applying the recommended patches.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-3282
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache openoffice