Fixed in AOO 4.1.2: CVE-2015-5313 .DOC Document Vulnerability
Republished without change. This advisory, originally posted
on 2015-11-04, died in a moderation queue and did not reach
the list. The [hidden email] is the official
mailing list for Apache OpenOffice security advisories, as
specified at <http://www.openoffice.org/security/alerts.html>.
This republication ensures preservation in the announce-list
A crafted Microsoft Word DOC file can be used to specify a
document buffer that is too small for the amount of data
provided for it. Failure to detect the discrepancy allows
an attacker to cause denial of service (memory corruption
and application crash) and possible execution of arbitrary
There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.
Vendor: The Apache Software Foundation
All Apache OpenOffice versions 4.1.1 and older are affected
OpenOffice.org versions are also affected.
Apache OpenOffice users are urged to download and install
Apache OpenOffice version 4.1.2 or later. DOC files having
the defect are detected and made ineffective in 4.1.2.
Users who do not upgrade to Apache OpenOffice 4.1.2 should
be careful of .DOC files from unknown or unreliable sources.
A Microsoft Word 97-2003 DOC format file can be checked
by opening it with software, such as Microsoft Office Word or
Word Online, that rejects documents having this defect as