Same of bug 409455 An XML Entity Expansion flaw was found in the way embedded Raptor library processed certain RDF and other XML-based format files. An attacker could create a specially-crafted file in an affected LibreOffice format which when opened could cause arbitrary code execution or local file inclusion.
I add [upstream] because they have not yet released a fixed bin.
According to upstream, this is only a data leakage vulnerability (disclosure of arbitrary files). A workaround is to save untrusted files in ODF 1.0/1.1 format, which will avoid the vulnerable code. Upstream has provided instructions on how to fix this vulnerability. I will investigate whether following these instructions or packaging a 3.4 developer snapshot is preferable.
OpenOffice 3.4 RC1 has been released, an ebuild is coming up.
Created attachment 309549 [details] openoffice-bin-3.4.0_rc1.ebuild ebuild will be added to portage once an official announcement from AOO exists.
Rerating B2 for code execution. Added to GLSA request.
Ok, I see c2 now. Looking around, it seems this may or may not allow code execution. Need to research before publishing GLSA...
More vulnerabilities were disclosed. All are fixed in 3.4.0. Adding to this bug per underling on IRC: CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module when allocating memory for an embedded image object Reference: http://www.openoffice.org/security/cves/CVE-2012-1149.html CVE-2012-2149 OpenOffice.org memory overwrite vulnerability Reference: http://www.openoffice.org/security/cves/CVE-2012-2149.html CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0 Reference: http://www.openoffice.org/security/cves/CVE-2012-2334.html Code execution is possible through CVE-2012-2149.
CVE-2012-1149 specifically pertains to libreoffice and bug 416457 was created for it prior to the above comment.
CVE-2012-2334 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2334): Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the length of an Escher graphics record in a PowerPoint (.ppt) document, which triggers a buffer overflow. CVE-2012-2149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2149): The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in libwpd 0.8.8, as used by OpenOffice.org (OOo) before 3.4, allows remote attackers to execute arbitrary code via a crafted Wordperfect .WPD document that causes a negative array index to be used. NOTE: some sources report this issue as an integer overflow. CVE-2012-1149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1149): Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embedded image object, as demonstrated by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow. CVE-2012-0037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0037): Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
This issue was resolved and addressed in GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml by GLSA coordinator Kristian Fiskerstrand (K_F).