Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 440922 (CVE-2012-4233)

Summary: <app-office/libreoffice{,-bin}-3.6.3.2: Multiple denial of service vulnerabilities (CVE-2012-4233)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dilfridge, gef.kornflakes, kegalym2, office, sven.koehler, write2David
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.libreoffice.org/advisories/cve-2012-4233/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-02 11:24:42 UTC
See https://www.libreoffice.org/advisories/cve-2012-4233/ for details
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2012-11-04 10:33:08 UTC
I added 3.5.7.2 and 3.6.3.2 to cvs.

For binary I would say lets wait a week and stabilise 3.6.3.2 completely and generate binary from that one?
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-08 21:46:50 UTC
(In reply to comment #1)
> I added 3.5.7.2 and 3.6.3.2 to cvs.
> 
> For binary I would say lets wait a week and stabilise 3.6.3.2 completely and
> generate binary from that one?

Thanks, Tomáš. We will revisit around 11/11 then.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-14 00:05:57 UTC
Arches, please test and mark stable:
=app-office/libreoffice-3.6.3.2
Target KEYWORDS="amd64 ppc x86"
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2012-11-14 18:34:14 UTC
(In reply to comment #3)
> Arches, please test and mark stable:
> =app-office/libreoffice-3.6.3.2
> Target KEYWORDS="amd64 ppc x86"

To be more precise, please test and mark stable:

app-office/libreoffice-3.6.3.2
app-office/libreoffice-l10n-3.6.3.2
dev-cpp/libcmis-0.2.3-r1

Target KEYWORDS="amd64 ppc x86"

Afterwards please keep this bug open for stabilization of the binpackages (which I'll upload after the sources are stabilized).
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2012-11-14 18:34:28 UTC
*** Bug 442252 has been marked as a duplicate of this bug. ***
Comment 6 Agostino Sarubbo gentoo-dev 2012-11-16 18:13:10 UTC
amd64 stable
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2012-11-17 11:09:53 UTC
x86 and ppc also done.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:27:53 UTC
CVE-2012-4233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4233):
  LibreOffice 3.5.x before 3.5.7.2 and 3.6.x before 3.6.1, and OpenOffice.org
  (OOo), allows remote attackers to cause a denial of service (NULL pointer
  dereference) via a crafted (1) odt file to vcllo.dll, (2) ODG (Drawing
  document) file to svxcorelo.dll, (3) PolyPolygon record in a .wmf (Window
  Meta File) file embedded in a ppt (PowerPoint) file to tllo.dll, or (4) xls
  (Excel) file to scfiltlo.dll.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-20 00:36:50 UTC
Thanks, everyone.

GLSA vote: no.
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2012-11-24 13:50:18 UTC
New binary packages have been generated and uploaded:
app-office/libreoffice-bin-3.6.3.2

amd64 & x86- please give them a decent beating, and if all works out, please stabilize.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2012-11-24 13:52:37 UTC
*** Bug 444440 has been marked as a duplicate of this bug. ***
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2012-11-24 13:54:15 UTC
(In reply to comment #10)
> New binary packages have been generated and uploaded:
> app-office/libreoffice-bin-3.6.3.2
> 
> amd64 & x86- please give them a decent beating, and if all works out, please
> stabilize.

... and dont forget app-office/libreoffice-bin-debug-3.6.3.2 (with the files in /usr/lib/debug; I guess there's not much to test there).
Comment 13 Agostino Sarubbo gentoo-dev 2012-11-24 21:47:07 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2012-11-24 21:48:02 UTC
x86 stable
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2012-12-10 19:03:12 UTC
Thanks, folks. GLSA Vote: no too, closing noglsa.