CVE Request -- openoffice.org (CVE-2008-4841)

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve,

  CVE of CVE-2008-4841 has been assigned to 
the following WordPad Text Converter for Word 97
vulnerability:

The WordPad Text Converter for Word 97 files in Microsoft Windows 2000
SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to
execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf
Word 97 file that triggers memory corruption, as exploited in the wild
in December 2008. NOTE: As of 20081210, it is unclear whether this
vulnerability is related to a WordPad issue disclosed on 20080925 with
a 2008-crash.doc.rar example, but there are insufficient details to be
sure.

With references:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4841
http://www.milw0rm.com/exploits/6560
http://milw0rm.com/sploits/2008-crash.doc.rar
http://www.microsoft.com/technet/security/advisory/960906.mspx
http://www.securityfocus.com/bid/31399
http://www.securityfocus.com/bid/32718
http://securitytracker.com/id?1021376
http://secunia.com/advisories/32997

Found out, this issue (http://milw0rm.com/sploits/2008-crash.doc.rar)
affects also the Word processor as shipped with OpenOffice.org.

Affected OpenOffice.org versions: openoffice.org-1.1.2-38.2.0.EL3 <= x < openoffice.org-1.1.5-10.6.0.5.EL4
Note: !! openoffice.org-2.* releases are not affected by this issue !!

What's the strategy in this case -- will we need a new CVE-2008 id
for this issue && the openoffice.org1 case? (And if so, could
you allocate one?)

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team