Synopsis:	Important: openoffice.org security update
Issue date:	2008-06-12
CVE Names:	CVE-2008-2152 CVE-2008-2366

Sean Larsson found a heap overflow flaw in the OpenOffice memory 
allocator.  If a carefully crafted file was opened by a victim, an 
attacker could use the flaw to crash OpenOffice.org or, possibly, 
execute arbitrary code. (CVE-2008-2152)

It was discovered that certain libraries in the Scientific Linux 3 and 4 
openoffice.org packages had an insecure relative RPATH (runtime
library search path) set in the ELF (Executable and Linking Format) 
header. A local user able to convince another user to run OpenOffice in 
an attacker-controlled directory, could run arbitrary code with the 
privileges of the victim. (CVE-2008-2366)

SL 3.0.x

     SRPMS:
openoffice.org-1.1.2-42.2.0.EL3.src.rpm
     i386:
openoffice.org-1.1.2-42.2.0.EL3.i386.rpm
openoffice.org-i18n-1.1.2-42.2.0.EL3.i386.rpm
openoffice.org-libs-1.1.2-42.2.0.EL3.i386.rpm
     x86_64:
openoffice.org-1.1.2-42.2.0.EL3.i386.rpm
openoffice.org-i18n-1.1.2-42.2.0.EL3.i386.rpm
openoffice.org-libs-1.1.2-42.2.0.EL3.i386.rpm

SL 4.x

     SRPMS:
openoffice.org-1.1.5-10.6.0.5.EL4.src.rpm
     i386:
openoffice.org-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-i18n-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-kde-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-libs-1.1.5-10.6.0.5.EL4.i386.rpm
     x86_64:
openoffice.org-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-i18n-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-kde-1.1.5-10.6.0.5.EL4.i386.rpm
openoffice.org-libs-1.1.5-10.6.0.5.EL4.i386.rpm


-Connie Sieh
-Troy Dawson