OpenOffice multiple security vulnerabilities

OpenOffice multiple security vulnerabilities
Published:		21.05.2012
Source:		BUGTRAQ
SecurityVulns ID:		12384
Type:		client
Threat Level:		5/10
Description:		Multiple memory corruptions.

Affected:		APACHE : OpenOffice 3.3
		LIBREOFFICE : LibreOffice 3.5
CVE:		CVE-2012-2334 (Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the length of an Escher graphics record in a PowerPoint (.ppt) document, which triggers a buffer overflow.)
		CVE-2012-2149 (The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in libwpd 0.8.8, as used by OpenOffice.org (OOo) before 3.4, allows remote attackers to execute arbitrary code via a crafted Wordperfect .WPD document that causes a negative array index to be used. NOTE: some sources report this issue as an integer overflow.)
		CVE-2012-1149 (Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embedded image object, as demonstrated by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow.)

Original document		APACHE, CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0 (21.05.2012)
		APACHE, CVE-2012-2149 OpenOffice.org memory overwrite vulnerability (21.05.2012)
		APACHE, CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module when allocating memory for an embedded image object (21.05.2012)
		SEC Consult Vulnerability Lab, SEC Consult SA-20120518 :: Memory overwrite vulnerability in libwpd (OpenOffice.org) - CVE-2012-2149 (21.05.2012)