Hole in Office programs for Linux
The [ttlipwpd[/tt]] library that processes WordPerfect documents has been used in the Linux programs Abiword since version 2.2, KOffice as of 1.4, and OpenOffice as of 2.0, among other places. The libwpd versions before the current 0.8.9 are vulnerable to a buffer overflow that allows malicious code to be injected. The buffer overflow can occur in the functions WP6GeneralTextPacket::_readContents(), WP3TablesGroup::_readContents() or WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup().
Linux distributors are already supplying packets with the current [ttlibwpd v0.8.9[/tt]]. As there is yet no patched version of OpenOffice, users are advised simply to refrain from opening WordPerfect documents from dubious sources; libwprd is hardwired in OpenOffice programs and therefore cannot be separately replaced.
For more information, see:
- Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities, iDefense's security advisory
(ehe)