libwpd

• Author: voroskoi
• Vulnerable: 0.8.8-1
• Unaffected: 0.8.9-1terminus1

Some vulnerabilities have been reported in libwpd, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise an application using the library.

1. An integer overflow within the “WP6GeneralTextPacket::_readContents” function can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted WordPerfect document in an application using the library.
2. Boundary errors within the “WP3TablesGroup::_readContents()” and “WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup()” functions can be exploited to cause heap-based buffer overflows by e.g. tricking a user into opening a specially crafted WordPerfect document in an application using the library. Successful exploitation may allow the execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/1842

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0002
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1466