Gentoo Bug 192818 - app-office/openoffice{,-bin}: Manipulated TIFF files can lead to heap overflows and arbitrary code execution (CVE-2007-2834)

Flags:

Requestee:

Pending

Approved

Assigned_To

()

Filename

Description

Type

Creator

Created

Size

Actions

Create a New Attachment (proposed patch, testcase, etc.)

View All

Bug 192818 depends on:

193056

Show dependency tree

Bug 192818 blocks:

Manipulated TIFF files can lead to heap overflows and arbitrary code execution * Synopsis: Manipulated TIFF files can lead to heap overflows and arbitrary code execution * State: Resolved 1. Impact A security vulnerability with the way OpenOffice.org processes TIFF documents may allow arbitrary command execution on the system with the privileges of the user running OpenOffice.org. We acknowledge, with thanks, an anonymous researcher working with the iDefense VCP. 2. Affected releases All versions prior to OpenOffice.org 2.3 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred 4. Relief/Workaround There is no workaround. See "Resolution" below. 5. Resolution This issue is addressed in the following releases: OpenOffice.org 2.3

Yes, well known ;) app-office/openoffice-bin-2.3 is already in the tree, so please test this for marking stable app-office/openoffice-2.3: Am working on this atm. Will come in the tree asap, depends on how successfull I'm in fixing the remaining problems

(In reply to comment #2) > app-office/openoffice-2.3.0 is in the tree now, too > Just to note: I've just done a little update to the ebuild, using a newer ooo-build-release, as the old one still showed the 2.2-splash-screen.

============= Building project oox ============= /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token mkout -- version: 1.7 /usr/bin/perl gentoken.pl tokens.txt ../../unxlngi6.pro/inc/tokens.hxx ../../unxlngi6.pro/misc/tokens.gperf gperf --compare-strncmp --output-file=../../unxlngi6.pro/misc/_tokens.cxx ../../unxlngi6.pro/misc/tokens.gperf dmake: Error: -- gperf: No such file or directory dmake: Error code -1, while making '../../unxlngi6.pro/inc/tokens.cxx' ---* tg_merge.mk *--- ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token make: *** [stamp/build] Error 1 This seems to go away (new compile not finished yet) when emerging dev-util/gperf.

------- Comment #8 From Tobias Scherbaum 2007-09-19 16:21:13 0000 -------

Doesn't build on ppc (bundled STLport)

g++ -D_REENTRANT
-DGXX_INCLUDE_PATH=/usr/lib/gcc/powerpc-unknown-linux-gnu/4.1.2/include/g++-v4
-fexceptions -ftemplate-depth-32 -I../stlport -Wall -W -Wno-sign-compare
-Wno-unused -Wno-uninitialized -O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec
-fno-strict-aliasing -pipe -D_STLP_STRICT_ANSI -g -fPIC -D_STLP_DEBUG
dll_main.cpp -c -o ../lib/obj/GCCppc/DebugSTLD/dll_main.o
../stlport/stl/_vector.h:92: error: template class without a name
../stlport/stl/_vector.h:195: error: expected unqualified-id before 'const'
../stlport/stl/_vector.h:195: error: expected `)' before 'const'
../stlport/stl/_vector.h:198: error: expected `)' before '__n'
../stlport/stl/_vector.h:204: error: expected `)' before '__n'
../stlport/stl/_vector.h:209: error: expected unqualified-id before 'const'
../stlport/stl/_vector.h:209: error: expected `)' before 'const'
../stlport/stl/_vector.h:240: error: expected `)' before '__first'
../stlport/stl/_vector.h:255: error: expected class-name before '__attribute__'
../stlport/stl/_vector.h:257: error: expected unqualified-id before '<' token
../stlport/stl/_vector.h:337: error: expected identifier before '<' token
../stlport/stl/_vector.h:337: error: expected ',' or '...' before '<' token
../stlport/stl/_vector.h: In member function 'void _STLD::<anonymous
class><_Tp, _Alloc>::swap(int __vector__)':
../stlport/stl/_vector.h:338: error: '__x' was not declared in this scope
../stlport/stl/_vector.h: At global scope:
../stlport/stl/_vector.h:93: error: an anonymous union cannot have function
members
../stlport/stl/_vector.h:546: error: abstract declarator '_STLD::<anonymous
class><_Tp, _Alloc>' used as declaration
../stlport/stl/_relops_cont.h:6: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:7: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator==(int
__vector__)':
../stlport/stl/_relops_cont.h:8: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:8: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:13: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:14: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<(int
__vector__)':
../stlport/stl/_relops_cont.h:15: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:16: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator!=(int
__vector__)':
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>(int
__vector__)':
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<=(int
__vector__)':
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of
'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int
__vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int
__vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>=(int
__vector__)':
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:23: error: variable or field 'swap' declared void
../stlport/stl/_relops_cont.h:23: error: '_STLD::swap' declared as an 'inline'
variable
../stlport/stl/_relops_cont.h:23: error: template declaration of 'int
_STLD::swap'
../stlport/stl/_relops_cont.h:23: error: expected primary-expression before
'__attribute__'
../stlport/stl/_relops_cont.h:23: error: expected primary-expression before '>'
token
../stlport/stl/_relops_cont.h:23: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:24: error: expected primary-expression before
'__attribute__'
../stlport/stl/_relops_cont.h:24: error: expected primary-expression before '>'
token
../stlport/stl/_relops_cont.h:24: error: '__y' was not declared in this scope
../stlport/stl/_vector.c:41: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:57: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:85: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:110: error: expected unqualified-id before '<' token
../stlport/stl/_bvector.h:298: error: expected identifier before '<' token
../stlport/stl/_bvector.h:298: error: expected unqualified-id before '<' token
../stlport/stl/_bvector.h:791: error: expected unqualified-id before '<' token
../stlport/stl/debug/_vector.h:96: error: expected class-name before
'__attribute__'
../stlport/stl/debug/_vector.h:96: error: expected `{' before '__attribute__'
../stlport/stl/debug/_vector.h:96: error: expected unqualified-id before '<'
token
dll_main.cpp:172: error: expected identifier before '<' token
dll_main.cpp:172: error: expected unqualified-id before '<' token
dll_main.cpp:174: error: explicit instantiation of 'class _STLD::vector<void*,
_STLD::allocator<void*> >' before definition of template
make[1]: *** [../lib/obj/GCCppc/DebugSTLD/dll_main.o] Error 1
make[1]: Leaving directory
`/var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport/unxlngppc.pro/misc/build/STLport-4.5/src'
dmake:  Error code 2, while making
'unxlngppc.pro/misc/build/so_built_so_stlport'
---* tg_merge.mk *---

ERROR: Error 65280 occurred while making
/var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport
make: *** [stamp/build] Error 1

(In reply to comment #9) > Ok, that oox failure has been reported (and marked as fixed) in bug 192937. > But actually I don't find the dependency in the ebuild. OpenOffice team? > This is fixed now, sorry for missing this

We are getting into a bit of a difficult situation here: ppc still has some building problems, and I'll be on vacation (without internet access) for two weeks starting tomorrow :( Any idea how to handle this?

Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until now - plus the security fix and one build fix. I'd propose this for stabilizing on ppc instead (and after that removing the ppc keyword from openoffice-2.3.0 for the time being)

(In reply to comment #13) > Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than > I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree > instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until > now - plus the security fix and one build fix. > > I'd propose this for stabilizing on ppc instead (and after that removing the > ppc keyword from openoffice-2.3.0 for the time being) > Looks like the best solution for now - i'll take a look at openoffice-2.2.1-r1.

Ok, as I'll be away now: Could someone else please also remove the old 2.2.1-ebuild (the vulnerable one) after ppc has stabilized 2.2.1-r1? Hope everything works out fine, wished this would be completed before leaving...

openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE combination which is working ... we might want to issue a temp-glsa mentioning that the problem isn't fixed for ppc yet? if test -f ../../unxlngppc.pro/slo/cli_uno_glue_version.o ; then touch ../../unxlngppc.pro/slo/cli_uno_glue_version.obj ; fi cp -p assembly.cs ../../unxlngppc.pro/misc/assembly_cppuhelper.cs echo ' \ [assembly:System.Reflection.AssemblyVersion( "1.0.9.0" )] ' \ ' [assembly:System.Reflection.AssemblyKeyFile("../../unxlngppc.pro/bin/cliuno.snk")] ' \ >> ../../unxlngppc.pro/misc/assembly_cppuhelper.cs dmake: Error: -- `../../../external/cli/cli_types.dll' not found, and can't be made '---* tg_merge.mk *---'

(In reply to comment #17) > openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE > combination which is working I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1. Everything's fine, beside the nasty bug about ************************************************** ERROR: ERROR: Could not register all components! in function: create_services_rdb ************************************************** which hit us again.

(In reply to comment #18) > I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds > firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java > -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1. > Everything's fine, beside the nasty bug about > > ************************************************** > ERROR: ERROR: Could not register all components! > in function: create_services_rdb > ************************************************** > > which hit us again. > plus USE="mono" is broken

(In reply to comment #17) > openoffice-2.2.1-r1 also seems b0rked for ppc, Thats bad, even though it seems to work for others, anyway: this also would mean that 2.2.1 is broken too, as it is 2.2.1-r1 minus the security fix. Weird that I never got a single report about 2.2.1 being broken on ppc in the last months... Maybe we should move the ppc-discussion over to bug #193056, also could you please there provide your emerge info stuff?

(In reply to comment #4) > amd64 stable > Still showing as soft masked here. All of the dependencies are now stable and I've been running 2.3.0 on amd64 for a long while without any issues. Can we get it marked as stable.

(In reply to comment #26) > (In reply to comment #4) > > amd64 stable > Still showing as soft masked here. All of the dependencies are now stable and > I've been running 2.3.0 on amd64 for a long while without any issues. Can we > get it marked as stable. That comment was about stabling openoffice-bin, not openoffice. Since openoffice was not amd64-stable before, there is no reason to stable a new version on a security bug. If your comment was a wish to generally stable openoffice on amd64, please open a separate bug about it. I'd still guess there is a reason it is not stable.

Bugzilla Bug 192818

app-office/openoffice{,-bin}: Manipulated TIFF files can lead to heap overflows and arbitrary code execution (CVE-2007-2834)

Last modified: 2007-12-04 00:39:25 0000