Vulnerability Note VU#220288

OpenOffice fails to properly process WMF and EMF files

Original Release date: 05 Jan 2007 | Last revised: 06 Jun 2007


Multiple buffer overflow vulnerabilities exist in the office suite. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary code on a vulnerable system.

Description is a free office suite that is available for multiple operating systems.

Windows Metafile (WMF) is a vector graphics format that was designed by Microsoft for Windows 3.0. A newer version of WMF, known as Enhanced Metafile (EMF) was designed for 32-bit operating systems. supports importing and exporting to WMF and EMF files. There are multiple errors within the handling of the EMR_POLYPOLYGON, EMR_POLYPOLYGON16, and META_ESCAPE records that may result in a buffer overflow. An attacker may be able to exploit these vulnerabilities by convincing a user to open a specially crafted WMF or EMF file that triggers the overflow.

Note that Sun StarOffice versions 6, 7, and 8 are also vulnerable.


A remote unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.


Upgrade has issued an update to address these issues in version 2.0.4. The OpenOffice team has reported that this issue does not affect version 2.1. The update is available for all operating systems supported by the team.

StarOffice users and administrators should see the Sunsolve support site for more details about available updates..

Do not run OpenOffice or StarOffice with superuser privileges
Running OpenOffice or StarOffice with a non-privileged user account may mitigate the affects of this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
OpenOffice.orgAffected-05 Jan 2007
Sun Microsystems, Inc.Affected-06 Jun 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to the team for information used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-5870
  • Date Public: 04 Jan 2007
  • Date First Published: 05 Jan 2007
  • Date Last Updated: 06 Jun 2007
  • Document Revision: 42


If you have feedback, comments, or additional information about this vulnerability, please send us email.