From http://www.openoffice.org/security/cves/CVE-2014-3524.html: OpenOffice Calc Command Injection Vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache OpenOffice 4.1.0 and older on Windows. OpenOffice.org versions are also affected. Description: The vulnerability allows command injection when loading Calc spreadsheets. Specially crafted documents can be used for command-injection attacks. Further exploits are possible but have not been verified. Mitigation Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when opening untrusted documents. Credits The Apache OpenOffice security team credits Rohan Durve and James Kettle of Context Information Security as the discoverer of this flaw. From http://www.openoffice.org/security/cves/CVE-2014-3575.html: OpenOffice Targeted Data Exposure Using Crafted OLE Objects Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache OpenOffice 4.1.0 and older on Windows. OpenOffice.org versions are also affected. Description: The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties. Mitigation Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when they are asked to "Update Links" for untrusted documents. Credits The Apache OpenOffice security team credits Open-Xchange for reporting this flaw. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-3524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3524): Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.
Arches, please stabilize app-office/openoffice-bin-4.1.1
CVE-2014-3575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3575): The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions have been removed from the tree.
Added to existing GLSA request (eafa83859)
This issue was resolved and addressed in GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05 by GLSA coordinator Kristian Fiskerstrand (K_F).