| Summary: | <app-office/libreoffice{,-bin}-4.2.5.2: VBA macros executed unconditionally (CVE-2014-0247) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ulenrich |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1111083 | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Version bump is on the way (build testing now). *** Bug 514374 has been marked as a duplicate of this bug. *** app-office/libreoffice-4.2.5.2 and app-office/libreoffice-l10n-4.2.5.2 bumped. Let's give it a few days in ~arch now to find obvious problems. Binary packages in preparation. (In reply to Andreas K. Hüttel from comment #3) > app-office/libreoffice-4.2.5.2 and app-office/libreoffice-l10n-4.2.5.2 > bumped. > > Let's give it a few days in ~arch now to find obvious problems. > Binary packages in preparation. Thanks Andreas for the work. Arches please *test* (especially the bin packages, since I cannot test much there) and then if all is OK mark stable: Target: amd64 x86 =app-office/libreoffice-4.2.5.2 =app-office/libreoffice-l10n-4.2.5.2 =app-office/libreoffice-bin-4.2.5.2 =app-office/libreoffice-bin-debug-4.2.5.2 On x86 the following dependencies are still missing and need be stabilized at the same time, too: =dev-libs/icu-52.1 =dev-cpp/libcmis-0.4.1 =media-libs/libfreehand-0.0.0 =dev-util/mdds-0.10.3 =app-text/libetonyek-0.0.3 =app-text/libabw-0.0.2 =app-text/libodfgen-0.0.4 =app-text/libebook-0.0.2 =app-text/libmwaw-0.2.0 Known minor issues: * The USE=kde variant does not use the KDE file dialogs right now but the default internal ones. We can't do much here since our Qt packages are missing some critical fixes (bug 514968). *** Bug 511144 has been marked as a duplicate of this bug. *** amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. All vulnerable versions removed. Thanks everyone. Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml by GLSA coordinator Kristian Fiskerstrand (K_F). CVE-2014-0247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0247): LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possibly related to doc/docmacromode.cxx. |
From ${URL} : It was found that LibreOffice documents executed macros unconditionally, without user approval, when these documents were opened using LibreOffice. A attacker could use this flaw to execute arbitray code as the user running LibreOffice, by embedding malicious VBA scripts in the document as macros. The following commit fixes this issue: http://cgit.freedesktop.org/libreoffice/core/commit/?id=1b0402f87c9b17fef2141130bfaa1798ece6ba0d @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.