Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 565026

Summary: <app-office/libreoffice{,-bin}-5.0.3.2, <app-office/openoffice-bin-4.1.2: multiple vulnerabilities (CVE-2015-{4551,5212,5213,5214})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chithanh, mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-11-06 15:25:13 UTC 
From http://www.libreoffice.org/about-us/security/advisories/ :


Fixed in LibreOffice 4.4.6/5.0.0
CVE-2015-5214 DOC Bookmark Status Memory Corruption

Fixed in LibreOffice 4.4.5/5.0.0
CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
CVE-2015-5213 DOC piecetable Integer Overflow
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2015-11-08 11:44:45 UTC 
We're going for 5.0.3.2 as stabilization target (which was bumped today; I guess we can wait for a few days here to make sure nothing's obviously wrong with it).

[Note that the crashy gtk3 frontend will be stable.masked.]

I'm preparing the binary packages.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2015-11-23 23:32:00 UTC 
Arches please test and stabilize, target "amd64 x86"

=app-office/libreoffice-5.0.3.2
=app-office/libreoffice-l10n-5.0.3.2
=app-office/libreoffice-bin-5.0.3.2
=app-office/libreoffice-bin-debug-5.0.3.2
=app-text/libmwaw-0.3.6
=app-text/libwps-0.4.2

Please especially do some runtime testing (i.e. start the program and play with it) of the binary package app-office/libreoffice-bin.

Note, you can disregard any bugs about crashy behaviour with USE=gtk3; the gtk3 frontend is indeed unstable and the useflag has been stable.masked for libreoffice-5.[01]*
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-24 23:13:05 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-24 23:13:59 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2015-11-28 00:14:53 UTC 
All vulnerable versions removed. As detailed in comment #0, 4.4.6 can stay.

(In reply to Agostino Sarubbo from comment #0)
> From http://www.libreoffice.org/about-us/security/advisories/ :
> 
> 
> Fixed in LibreOffice 4.4.6/5.0.0
> CVE-2015-5214 DOC Bookmark Status Memory Corruption
> 
> Fixed in LibreOffice 4.4.5/5.0.0
> CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
> CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
> CVE-2015-5213 DOC piecetable Integer Overflow
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-12-08 01:02:09 UTC 
Added to an existing GLSA Request.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-10-17 10:02:03 UTC 
app-office/openoffice-bin was missed.

@maintainer(s), please clean the vulnerable version from the tree:

=app-office/openoffice-bin-4.1.1
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-11-04 07:57:31 UTC 
This issue was resolved and addressed in
 GLSA 201611-03 at https://security.gentoo.org/glsa/201611-03
by GLSA coordinator Aaron Bauman (b-man).