Bug 635120 (CVE-2017-12607, CVE-2017-12608, CVE-2017-3157, CVE-2017-9806)

Summary:	<app-office/openoffice-bin-4.1.4: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sergey Torokhov <torokhov-s-a>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	chithanh, glsamaker, office
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openoffice.org/security/bulletin.html
Whiteboard:	B3 [noglsa cve]
Package list:	app-office/openoffice-bin-4.1.4	Runtime testing required:	---

Description Sergey Torokhov 2017-10-22 22:43:38 UTC

OpenOffice 4.1.4 was released on 19 Oct. 2017

Please update this package in portage tree.

Also please resolve an issue https://bugs.gentoo.org/529850 in new ebuild.

P.S.

List of resolved issues:
https://bz.apache.org/ooo/buglist.cgi?list_id=233429&query_format=advanced&resolution=FIXED&resolution=FIXED_WITHOUT_CODE&target_milestone=4.1.4

Reproducible: Always

Comment 1 Andreas Sturmlechner gentoo-dev

2017-10-22 22:51:00 UTC

Personally I would recommend you upgrade to LibreOffice.

I'm not sure if we bump this once more or rather schedule a cleanup...

Comment 2 Sergey Torokhov 2017-10-23 22:17:21 UTC

(In reply to Andreas Sturmlechner from comment #1)
> Personally I would recommend you upgrade to LibreOffice.

I tried several times to take a look at LibreOffice but every time found some bugs. 

Latest version from portage tree (5.2.7.2-r1) and my windows installation 
(5.3.6) have glitch interface especially "menu" while hover by mouse on it. Also there are I encounter some tiny bugs that are absent for me in OpenOffice. And current portage LibreOffice(-bin) version is obsolete.

I use OpenOffice both Gentoo Linux and Windows for ODF formats and I satisfied how it works, as many other users I sure.

As for ooxml support there are other office tools with better support of it than in LibreOffice: OnlyOffice, WPS, SoftMaker FreeOffice. What about ebuilds for them?

> I'm not sure if we bump this once more or rather schedule a cleanup...

Why? The application is still running, fixes are released. The Gentoo Linux is my favourite 'cause it's support simultaneous installation of OpenOffice and LibreOffice - the feature that is not presented in other distributives. SO it give more freedom of choose.

As for mentioned above bug - it's reproduce also for LibreOffice(-bin).

Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev

2017-10-26 19:32:41 UTC

Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin

Comment 4 Sergey Torokhov 2017-10-26 21:39:45 UTC

Information about vulnerabilities that was fixed in OpenOffice-4.1.4: https://www.openoffice.org/security/bulletin.html

CVE-2017-3157: Arbitrary file disclosure in Calc and Writer
CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor
CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter
CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles

Comment 5 Andreas Sturmlechner gentoo-dev

2017-10-27 20:39:13 UTC

(In reply to Chí-Thanh Christopher Nguyễn from comment #3)
> Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin
Thanks, should have checked first...

Please note wrt bug 529850 the gstreamer version that openoffice-bin seems to depend on is ancient and should be removed from all the remaining reverse-dependencies.

Comment 6 D'juan McDonald (domhnall) 2017-11-02 05:02:52 UTC

@maintainer(s)  preserved previous URL:
https://blogs.apache.org/OOo/entry/announcing-apache-openoffice-4-1. 

Adding new URL for Security Bug Reference.

@security, CVE request please. Thank you.


Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-21 16:42:33 UTC

*** Bug 638334 has been marked as a duplicate of this bug. ***

Comment 8 Larry the Git Cow gentoo-dev

2017-12-14 13:51:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade5387dafde98d4a37f9a63c419a834554f0e69

commit ade5387dafde98d4a37f9a63c419a834554f0e69
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2017-12-14 13:50:40 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2017-12-14 13:50:40 +0000

    app-office/openoffice-bin: security bump to 4.1.4
    
    Bug: https://bugs.gentoo.org/635120
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 app-office/openoffice-bin/Manifest                 |  80 +++++++++
 .../openoffice-bin/openoffice-bin-4.1.4.ebuild     | 185 +++++++++++++++++++++
 2 files changed, 265 insertions(+)}

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-19 15:49:47 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-12-20 13:09:38 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 11 Larry the Git Cow gentoo-dev

2017-12-26 02:57:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edbb288bd7337e0b8fab4925fe23987a1a72f071

commit edbb288bd7337e0b8fab4925fe23987a1a72f071
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2017-12-26 02:57:30 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2017-12-26 02:57:30 +0000

    app-office/openoffice-bin: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/635120
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 app-office/openoffice-bin/Manifest                 |  80 ---------
 .../openoffice-bin/openoffice-bin-4.1.3.ebuild     | 185 ---------------------
 2 files changed, 265 deletions(-)}

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2018-01-15 15:57:05 UTC

Downgraded to B3 due to no known exploits or PoC for ACE.  Demos exist for DoS only.

GLSA Vote: No

Tree is clean.