Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 547880 (CVE-2015-1774)

Summary: <app-office/openoffice-bin-4.1.2: HWP Filter Remote Code Execution and Denial of Service (CVE-2015-1774)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chithanh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openoffice.org/security/cves/CVE-2015-1774.html
Whiteboard: B2 [glsa cve cleanup]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 565028    

Description Agostino Sarubbo gentoo-dev 2015-04-27 09:09:11 UTC 
From ${URL} :

OpenOffice HWP Filter Remote Code Execution and Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache OpenOffice 4.1.1 and older.
OpenOffice.org versions are also affected.
Description
A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format.

Mitigation
Apache OpenOffice users are advised to remove the problematic library in the "program" folder of their OpenOffice installation. On Windows it is named "hwp.dll", on Mac it is named "libhwp.dylib" (step-by-step instructions: go to the Applications folder in 
Finder; right click on OpenOffice.app; click on "Show Package Contents"; then search for the file "libhwp.dylib" with Finder's search function, or Look for it in the folder "Contents/MacOS"; then delete the file) and on Linux it is named "libhwp.so". 
Alternatively the library can be renamed to anything else e.g. "hwp_renamed.dll". This mitigation will drop support for documents created in "Hangul Word Processor" versions from 1997 or older. Users of such documents are advised to convert their documents to 
other document formats such as OpenDocument before doing so.

Further information
Apache OpenOffice aims to fix the vulnerability in version 4.1.2, not released yet.

Credits
Thanks to an anonymous contributor working with VeriSign iDefense Labs.




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2015-11-11 14:46:19 UTC 
Arches, please test and mark stable:
=app-office/openoffice-bin-4.1.2
Target keywords : "amd64 x86"
Comment 2 Agostino Sarubbo gentoo-dev 2015-11-11 15:00:44 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-11 15:01:36 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 04:08:38 UTC 
Arches, Thank you for your work.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 18:11:01 UTC 
This issue was resolved and addressed in
 GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05
by GLSA coordinator Kristian Fiskerstrand (K_F).