OSVDB ID: 9804

Title: OpenOffice/StarOffice Installation Temporary File Information Disclosure

Info

Disclosure

Sep 10, 2004

Discovery

Aug 16, 2004

Dates

Exploit

Sep 10, 2004

Solution

Unknown

Description

OpenOffice contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker extracts content.xml from a compressed file located in /tmp/sv*.tmp/ during the installation procedure, which will disclose user information resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure, Race Condition
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Upgrade to OpenOffice version 1.1.3 or higher or apply Product Update 3 or higher for StarOffice, as they have been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: set a more secure umask.

Products

OpenOffice.org

1.1.2

Sun Microsystems, Inc.

StarOffice

References

Security Tracker: 1011205
Secunia Advisory ID: 12302 12546 12668 12914 12932
CVE ID: 2004-0752 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0082.html
Other Advisory URL: http://secunia.com/secunia_research/2004-5/advisory/
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:103
Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200410-17.xml
http://www.openoffice.org/issues/show_bug.cgi?id=33357
Vendor URL: http://www.openoffice.org/
RedHat RHSA: RHSA-2004:446

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/9804