Bug 440922 (CVE-2012-4233)

Summary:	<app-office/libreoffice{,-bin}-3.6.3.2: Multiple denial of service vulnerabilities (CVE-2012-4233)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	dilfridge, gef.kornflakes, kegalym2, office, sven.koehler, write2David
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.libreoffice.org/advisories/cve-2012-4233/
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-11-02 11:24:42 UTC

See https://www.libreoffice.org/advisories/cve-2012-4233/ for details

Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev

2012-11-04 10:33:08 UTC

I added 3.5.7.2 and 3.6.3.2 to cvs.

For binary I would say lets wait a week and stabilise 3.6.3.2 completely and generate binary from that one?

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-11-08 21:46:50 UTC

(In reply to comment #1)
> I added 3.5.7.2 and 3.6.3.2 to cvs.
> 
> For binary I would say lets wait a week and stabilise 3.6.3.2 completely and
> generate binary from that one?

Thanks, Tomáš. We will revisit around 11/11 then.

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2012-11-14 00:05:57 UTC

Arches, please test and mark stable:
=app-office/libreoffice-3.6.3.2
Target KEYWORDS="amd64 ppc x86"

Comment 4 Andreas K. Hüttel archtester

2012-11-14 18:34:14 UTC

(In reply to comment #3)
> Arches, please test and mark stable:
> =app-office/libreoffice-3.6.3.2
> Target KEYWORDS="amd64 ppc x86"

To be more precise, please test and mark stable:

app-office/libreoffice-3.6.3.2
app-office/libreoffice-l10n-3.6.3.2
dev-cpp/libcmis-0.2.3-r1

Target KEYWORDS="amd64 ppc x86"

Afterwards please keep this bug open for stabilization of the binpackages (which I'll upload after the sources are stabilized).

Comment 5 Andreas K. Hüttel archtester

2012-11-14 18:34:28 UTC

*** Bug 442252 has been marked as a duplicate of this bug. ***

Comment 6 Agostino Sarubbo gentoo-dev

2012-11-16 18:13:10 UTC

amd64 stable

Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev

2012-11-17 11:09:53 UTC

x86 and ppc also done.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2012-11-20 00:27:53 UTC

CVE-2012-4233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4233):
  LibreOffice 3.5.x before 3.5.7.2 and 3.6.x before 3.6.1, and OpenOffice.org
  (OOo), allows remote attackers to cause a denial of service (NULL pointer
  dereference) via a crafted (1) odt file to vcllo.dll, (2) ODG (Drawing
  document) file to svxcorelo.dll, (3) PolyPolygon record in a .wmf (Window
  Meta File) file embedded in a ppt (PowerPoint) file to tllo.dll, or (4) xls
  (Excel) file to scfiltlo.dll.

Comment 9 Sean Amoss (RETIRED) gentoo-dev

2012-11-20 00:36:50 UTC

Thanks, everyone.

GLSA vote: no.

Comment 10 Andreas K. Hüttel archtester

2012-11-24 13:50:18 UTC

New binary packages have been generated and uploaded:
app-office/libreoffice-bin-3.6.3.2

amd64 & x86- please give them a decent beating, and if all works out, please stabilize.

Comment 11 Andreas K. Hüttel archtester

2012-11-24 13:52:37 UTC

*** Bug 444440 has been marked as a duplicate of this bug. ***

Comment 12 Andreas K. Hüttel archtester

2012-11-24 13:54:15 UTC

(In reply to comment #10)
> New binary packages have been generated and uploaded:
> app-office/libreoffice-bin-3.6.3.2
> 
> amd64 & x86- please give them a decent beating, and if all works out, please
> stabilize.

... and dont forget app-office/libreoffice-bin-debug-3.6.3.2 (with the files in /usr/lib/debug; I guess there's not much to test there).

Comment 13 Agostino Sarubbo gentoo-dev

2012-11-24 21:47:07 UTC

amd64 stable

Comment 14 Agostino Sarubbo gentoo-dev

2012-11-24 21:48:02 UTC

x86 stable

Comment 15 Tim Sammut (RETIRED) gentoo-dev

2012-12-10 19:03:12 UTC

Thanks, folks. GLSA Vote: no too, closing noglsa.