Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635120 (CVE-2017-12607, CVE-2017-12608, CVE-2017-3157, CVE-2017-9806)

Summary: <app-office/openoffice-bin-4.1.4: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sergey Torokhov <torokhov-s-a>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chithanh, glsamaker, office
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openoffice.org/security/bulletin.html
Whiteboard: B3 [noglsa cve]
Package list:
app-office/openoffice-bin-4.1.4
Runtime testing required: ---

Description Sergey Torokhov 2017-10-22 22:43:38 UTC
OpenOffice 4.1.4 was released on 19 Oct. 2017

Please update this package in portage tree.

Also please resolve an issue https://bugs.gentoo.org/529850 in new ebuild.

P.S.

List of resolved issues:
https://bz.apache.org/ooo/buglist.cgi?list_id=233429&query_format=advanced&resolution=FIXED&resolution=FIXED_WITHOUT_CODE&target_milestone=4.1.4

Reproducible: Always
Comment 1 Andreas Sturmlechner gentoo-dev 2017-10-22 22:51:00 UTC
Personally I would recommend you upgrade to LibreOffice.

I'm not sure if we bump this once more or rather schedule a cleanup...
Comment 2 Sergey Torokhov 2017-10-23 22:17:21 UTC
(In reply to Andreas Sturmlechner from comment #1)
> Personally I would recommend you upgrade to LibreOffice.

I tried several times to take a look at LibreOffice but every time found some bugs. 

Latest version from portage tree (5.2.7.2-r1) and my windows installation 
(5.3.6) have glitch interface especially "menu" while hover by mouse on it. Also there are I encounter some tiny bugs that are absent for me in OpenOffice. And current portage LibreOffice(-bin) version is obsolete.

I use OpenOffice both Gentoo Linux and Windows for ODF formats and I satisfied how it works, as many other users I sure.

As for ooxml support there are other office tools with better support of it than in LibreOffice: OnlyOffice, WPS, SoftMaker FreeOffice. What about ebuilds for them?

> I'm not sure if we bump this once more or rather schedule a cleanup...

Why? The application is still running, fixes are released. The Gentoo Linux is my favourite 'cause it's support simultaneous installation of OpenOffice and LibreOffice - the feature that is not presented in other distributives. SO it give more freedom of choose.

As for mentioned above bug - it's reproduce also for LibreOffice(-bin).
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2017-10-26 19:32:41 UTC
Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin
Comment 4 Sergey Torokhov 2017-10-26 21:39:45 UTC
Information about vulnerabilities that was fixed in OpenOffice-4.1.4: https://www.openoffice.org/security/bulletin.html

CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles
Comment 5 Andreas Sturmlechner gentoo-dev 2017-10-27 20:39:13 UTC
(In reply to Chí-Thanh Christopher Nguyễn from comment #3)
> Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin
Thanks, should have checked first...

Please note wrt bug 529850 the gstreamer version that openoffice-bin seems to depend on is ancient and should be removed from all the remaining reverse-dependencies.
Comment 6 D'juan McDonald (domhnall) 2017-11-02 05:02:52 UTC
@maintainer(s)  preserved previous URL:
https://blogs.apache.org/OOo/entry/announcing-apache-openoffice-4-1. 

Adding new URL for Security Bug Reference.

@security, CVE request please. Thank you.


Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-21 16:42:33 UTC
*** Bug 638334 has been marked as a duplicate of this bug. ***
Comment 8 Larry the Git Cow gentoo-dev 2017-12-14 13:51:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade5387dafde98d4a37f9a63c419a834554f0e69

commit ade5387dafde98d4a37f9a63c419a834554f0e69
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2017-12-14 13:50:40 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2017-12-14 13:50:40 +0000

    app-office/openoffice-bin: security bump to 4.1.4
    
    Bug: https://bugs.gentoo.org/635120
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 app-office/openoffice-bin/Manifest                 |  80 +++++++++
 .../openoffice-bin/openoffice-bin-4.1.4.ebuild     | 185 +++++++++++++++++++++
 2 files changed, 265 insertions(+)}
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-19 15:49:47 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-12-20 13:09:38 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Larry the Git Cow gentoo-dev 2017-12-26 02:57:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edbb288bd7337e0b8fab4925fe23987a1a72f071

commit edbb288bd7337e0b8fab4925fe23987a1a72f071
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2017-12-26 02:57:30 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2017-12-26 02:57:30 +0000

    app-office/openoffice-bin: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/635120
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 app-office/openoffice-bin/Manifest                 |  80 ---------
 .../openoffice-bin/openoffice-bin-4.1.3.ebuild     | 185 ---------------------
 2 files changed, 265 deletions(-)}
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 15:57:05 UTC
Downgraded to B3 due to no known exploits or PoC for ACE.  Demos exist for DoS only.

GLSA Vote: No

Tree is clean.