Note: This is an archival copy of Security Sun Alert 200704 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000558.1.
StarOffice 7 Software
StarOffice 6.0 Office Suite
StarOffice 8 Software
6513920, 6513918, 6513085
Date of Workaround Release
Date of Resolved Release
A security vulnerability with the way StarOffice/StarSuite versions 6, 7 and 8 process StarCalc 1.0 documents (.sdc) may allow a remote unprivileged user (who provides a StarCalc document that is opened by a local user) the ability to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite.
Sun acknowledges, with thanks, John Heasman of NGS Software Ltd (www.ngssoftware.com) for bringing this issue to our attention.
This issue is also described in the following:
CVE-2007-0238 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0238
This issue can occur in the following releases:
Note: Earlier versions of StarOffice/StarSuite will not be evaluated regarding this issue.
To determine the version of StarOffice installed on a system, the following command can be run (for /<staroffice program dir>/program/bootstraprc); note that not all of the platforms listed above provide the 'grep' command):
% grep Product bootstraprc ProductKey=StarOffice 8 ProductPatch=(Product Update 2)
Or, using the GUI, do the following (with StarOffice/StarSuite open):
The version is displayed first in the "about" text.
There are no predictable symptoms that would indicate the described issue has occurred.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment