CVE-2012-2665  Manifest-processing errors in Apache OpenOffice 3.4.0

Reference: http://www.openoffice.org/security/cves/CVE-2012-2665.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache OpenOffice 3.4.0, all languages, all platforms.
Earlier versions of OpenOffice.org may be also affected.

Description:

When OpenOffice reads an ODF document, it first loads and processes
an XML stream within the file called the manifest. Apache OpenOffice
3.4.0 has logic errors that allows a carefully crafted manifest to
cause reads and writes beyond allocated buffers.

No specific exploit has been demonstrated in this case, though such
flaws generally are conducive to exploitation, possibly including
denial of service and elevation of privilege.

Mitigation

OpenOffice users are advised to upgrade to Apache OpenOffice 3.4.1:

http://www.openoffice.org/download/

Users who are unable to upgrade immediately should exercise caution
when opening untrusted ODF documents.

Credits

The Apache OpenOffice Security Team acknowledges Timo Warns of
PRESENSE Technologies GmbH as the discoverer of these flaws.