Multiple integer overflows in OpenOffice.org (OOo) 2.0.4 and earlier, and possibly other versions before 2.1.0; and StarOffice 6 through 8; allow user-assisted remote attackers to execute arbitrary code via a crafted (a) WMF or (b) EMF file that triggers heap-based buffer overflows in (1) wmf/winwmf.cxx, during processing of META_ESCAPE records; and wmf/enhwmf.cxx, during processing of (2) EMR_POLYPOLYGON and (3) EMR_POLYPOLYGON16 records.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openoffice | Openoffice | * | 2.0.4 (including) |
| Staroffice | Sun | 6.0 (including) | 6.0 (including) |
| Staroffice | Sun | 7.0 (including) | 7.0 (including) |
| Staroffice | Sun | 8.0 (including) | 8.0 (including) |
| Red Hat Enterprise Linux 3 | RedHat | openoffice.org-0:1.1.2-35.2.0.EL3 | * |
| Red Hat Enterprise Linux 4 | RedHat | openoffice.org-0:1.1.5-6.6.0.EL4 | * |
| Openoffice.org | Ubuntu | dapper | * |
| Openoffice.org-amd64 | Ubuntu | dapper | * |
| Openoffice.org-l10n | Ubuntu | dapper | * |
| Openoffice.org-l10n | Ubuntu | devel | * |
| Openoffice.org-l10n | Ubuntu | edgy | * |
| Openoffice.org-l10n | Ubuntu | feisty | * |