An integer overflow error in the vclmi.dll module when allocating memory for an embedded image object can be exploited to cause a heap-based buffer overflow e.g. via a specially crafted JPEG object within a DOC file. This is also vulnerability #1 under http://secunia.com/advisories/46992/
Should be fixed in our tree as it was fixed in libreoffice in december. http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-3-5&id=1387ae23816db26066ab79b0c4ad33e6e0f2d968
But hey I want to stabilise 3.5.4.2 anyway, so lets use this bug as arches at least do it faster ^_^
I think it was announced now because apache-oo has finaly release.
Thanks, Tomáš. 3.5.3 is listed as first fixed releases. Do we want to stabilize =app-office/libreoffice-3.5.3.2, 3.5.4.2, or something else? And would you mind adding a fixed libreoffice-bin too please?
(In reply to comment #2) > But hey I want to stabilise 3.5.4.2 anyway, so lets use this bug as arches > at least do it faster ^_^ (In reply to comment #4) > Thanks, Tomáš. 3.5.3 is listed as first fixed releases. Do we want to > stabilize =app-office/libreoffice-3.5.3.2, 3.5.4.2, or something else? And > would you mind adding a fixed libreoffice-bin too please? I'd say stabilization candidate is 3.5.4.2 (as Tomas stated above), but we should probably wait until that version has made the step from "official rc, highly likely to be identical to final" to "official 3.5.4 release". I'll prepare the binaries as soon as the source packages are stable.
Lets roll: Arches please test and stabilise app-office/libreoffice-3.5.4.2-r1. Cheers Tom
ppc done.
amd64 ok
amd64: pass
libreoffice-3.5.4.2-r1.ebuild stable for amd64, thanks k01 and Armageddon.
Just for the record, I'll redo the binaries after the sources are stable (so there is a consistent set of libraries to build against).
x86 stable.
@office, go ahead with building of -bin packages.
Binary packages are up... Arches please test and stabilize app-office/libreoffice-bin-3.5.4.2-r1 app-office/libreoffice-bin-debug-3.5.4.2-r1 Target amd64 x86
x86: all binary install ok. (tried install with specific USE flags: no problems for me). Also all *DEPEND compiles ok. I'm not see problems and no complaints from repoman. libreoffice-bin-debug: in src_install() does not exist || die for trivial install method, please check and fix it. Please mark stable for x86.
(In reply to comment #15) > libreoffice-bin-debug: in src_install() does not exist || die for trivial > install method, please check and fix it. "|| die" added, thanks
(In reply to comment #14) > app-office/libreoffice-bin-3.5.4.2-r1 > app-office/libreoffice-bin-debug-3.5.4.2-r1 amd64 ok
amd64 stable
x86 stable
(In reply to comment #19) > x86 stable app-office/libreoffice-bin-debug-3.5.4.2-r1 is missing
> 11 Jun 2012; Jeff Horelick <jdhore@gentoo.org> > -libreoffice-bin-debug-3.5.2.2-r1.ebuild: > Remove old (broken) version. > 11 Jun 2012; Jeff Horelick <jdhore@gentoo.org> > libreoffice-bin-debug-3.5.4.2-r1.ebuild: > marked x86 per dilfridge
Thanks, everyone. Adding to existing GLSA request.
This issue was resolved and addressed in GLSA 201209-05 at http://security.gentoo.org/glsa/glsa-201209-05.xml by GLSA coordinator Sean Amoss (ackle).