Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192818 - app-office/openoffice{,-bin}: Manipulated TIFF files can lead to heap overflows and arbitrary code execution (CVE-2007-2834)
Summary: app-office/openoffice{,-bin}: Manipulated TIFF files can lead to heap overfl...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.openoffice.org/security/cv...
Whiteboard: A2? [glsa]
Keywords:
Depends on: 193056
Blocks:
  Show dependency tree
 
Reported: 2007-09-17 14:00 UTC by Matthias Geerdsen (RETIRED)
Modified: 2007-12-04 00:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2007-09-17 14:00:08 UTC
Manipulated TIFF files can lead to heap overflows and arbitrary code execution

    * Synopsis: Manipulated TIFF files can lead to heap overflows and arbitrary code execution
    * State: Resolved

1. Impact

A security vulnerability with the way OpenOffice.org processes TIFF documents may allow arbitrary command execution on the system with the privileges of the user running OpenOffice.org.

We acknowledge, with thanks, an anonymous researcher working with the iDefense VCP.
2. Affected releases

All versions prior to OpenOffice.org 2.3
3. Symptoms

There are no predictable symptoms that would indicate this issue has occurred
4. Relief/Workaround

There is no workaround. See "Resolution" below.
5. Resolution

This issue is addressed in the following releases:

OpenOffice.org 2.3
Comment 1 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-17 14:08:44 UTC
Yes, well known ;) 

app-office/openoffice-bin-2.3 is already in the tree, so please test this for marking stable

app-office/openoffice-2.3: Am working on this atm. Will come in the tree asap, depends on how successfull I'm in fixing the remaining problems
Comment 2 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-18 07:20:09 UTC
app-office/openoffice-2.3.0 is in the tree now, too
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 10:16:40 UTC
Thanks, Andreas.

Arches, please test and mark stable:
app-office/openoffice-bin-2.3.0: targets are "amd64 x86"
app-office/openoffice-2.3.0: targets are "ppc x86"
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2007-09-18 11:28:40 UTC
amd64 stable
Comment 5 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-18 11:37:55 UTC
(In reply to comment #2)
> app-office/openoffice-2.3.0 is in the tree now, too
> 

Just to note: I've just done a little update to the ebuild, using a newer ooo-build-release, as the old one still showed the 2.2-splash-screen.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-18 21:19:13 UTC
-bin stable on x86
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-19 13:01:13 UTC
=============
Building project oox
=============
/var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token
mkout -- version: 1.7
/usr/bin/perl gentoken.pl tokens.txt ../../unxlngi6.pro/inc/tokens.hxx ../../unxlngi6.pro/misc/tokens.gperf
gperf --compare-strncmp --output-file=../../unxlngi6.pro/misc/_tokens.cxx ../../unxlngi6.pro/misc/tokens.gperf
dmake:  Error: -- gperf: No such file or directory
dmake:  Error code -1, while making '../../unxlngi6.pro/inc/tokens.cxx'
---* tg_merge.mk *---

ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token
make: *** [stamp/build] Error 1


This seems to go away (new compile not finished yet) when emerging dev-util/gperf.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-19 16:21:13 UTC
Doesn't build on ppc (bundled STLport)

g++ -D_REENTRANT -DGXX_INCLUDE_PATH=/usr/lib/gcc/powerpc-unknown-linux-gnu/4.1.2/include/g++-v4 -fexceptions -ftemplate-depth-32 -I../stlport -Wall -W -Wno-sign-compare -Wno-unused -Wno-uninitialized -O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe -D_STLP_STRICT_ANSI -g -fPIC -D_STLP_DEBUG dll_main.cpp -c -o ../lib/obj/GCCppc/DebugSTLD/dll_main.o
../stlport/stl/_vector.h:92: error: template class without a name
../stlport/stl/_vector.h:195: error: expected unqualified-id before 'const'
../stlport/stl/_vector.h:195: error: expected `)' before 'const'
../stlport/stl/_vector.h:198: error: expected `)' before '__n'
../stlport/stl/_vector.h:204: error: expected `)' before '__n'
../stlport/stl/_vector.h:209: error: expected unqualified-id before 'const'
../stlport/stl/_vector.h:209: error: expected `)' before 'const'
../stlport/stl/_vector.h:240: error: expected `)' before '__first'
../stlport/stl/_vector.h:255: error: expected class-name before '__attribute__'
../stlport/stl/_vector.h:257: error: expected unqualified-id before '<' token
../stlport/stl/_vector.h:337: error: expected identifier before '<' token
../stlport/stl/_vector.h:337: error: expected ',' or '...' before '<' token
../stlport/stl/_vector.h: In member function 'void _STLD::<anonymous class><_Tp, _Alloc>::swap(int __vector__)':
../stlport/stl/_vector.h:338: error: '__x' was not declared in this scope
../stlport/stl/_vector.h: At global scope:
../stlport/stl/_vector.h:93: error: an anonymous union cannot have function members
../stlport/stl/_vector.h:546: error: abstract declarator '_STLD::<anonymous class><_Tp, _Alloc>' used as declaration
../stlport/stl/_relops_cont.h:6: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:7: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator==(int __vector__)':
../stlport/stl/_relops_cont.h:8: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:8: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:13: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:14: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<(int __vector__)':
../stlport/stl/_relops_cont.h:15: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:16: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator!=(int __vector__)':
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>(int __vector__)':
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<=(int __vector__)':
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token
../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int __vector__)' must have an argument of class or enumerated type
../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int __vector__)' must take exactly two arguments
../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>=(int __vector__)':
../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope
../stlport/stl/_relops_cont.h: At global scope:
../stlport/stl/_relops_cont.h:23: error: variable or field 'swap' declared void
../stlport/stl/_relops_cont.h:23: error: '_STLD::swap' declared as an 'inline' variable
../stlport/stl/_relops_cont.h:23: error: template declaration of 'int _STLD::swap'
../stlport/stl/_relops_cont.h:23: error: expected primary-expression before '__attribute__'
../stlport/stl/_relops_cont.h:23: error: expected primary-expression before '>' token
../stlport/stl/_relops_cont.h:23: error: '__x' was not declared in this scope
../stlport/stl/_relops_cont.h:24: error: expected primary-expression before '__attribute__'
../stlport/stl/_relops_cont.h:24: error: expected primary-expression before '>' token
../stlport/stl/_relops_cont.h:24: error: '__y' was not declared in this scope
../stlport/stl/_vector.c:41: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:57: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:85: error: expected unqualified-id before '<' token
../stlport/stl/_vector.c:110: error: expected unqualified-id before '<' token
../stlport/stl/_bvector.h:298: error: expected identifier before '<' token
../stlport/stl/_bvector.h:298: error: expected unqualified-id before '<' token
../stlport/stl/_bvector.h:791: error: expected unqualified-id before '<' token
../stlport/stl/debug/_vector.h:96: error: expected class-name before '__attribute__'
../stlport/stl/debug/_vector.h:96: error: expected `{' before '__attribute__'
../stlport/stl/debug/_vector.h:96: error: expected unqualified-id before '<' token
dll_main.cpp:172: error: expected identifier before '<' token
dll_main.cpp:172: error: expected unqualified-id before '<' token
dll_main.cpp:174: error: explicit instantiation of 'class _STLD::vector<void*, _STLD::allocator<void*> >' before definition of template
make[1]: *** [../lib/obj/GCCppc/DebugSTLD/dll_main.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport/unxlngppc.pro/misc/build/STLport-4.5/src'
dmake:  Error code 2, while making 'unxlngppc.pro/misc/build/so_built_so_stlport'
---* tg_merge.mk *---

ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport
make: *** [stamp/build] Error 1
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-19 16:37:27 UTC
Ok, that oox failure has been reported (and marked as fixed) in bug 192937.  But actually I don't find the dependency in the ebuild.  OpenOffice team?
Comment 10 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-19 20:32:17 UTC
(In reply to comment #9)
> Ok, that oox failure has been reported (and marked as fixed) in bug 192937. 
> But actually I don't find the dependency in the ebuild.  OpenOffice team?
> 

This is fixed now, sorry for missing this
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-20 07:09:20 UTC
x86 stable, thanks Andreas.

ppc your problem has been tried to be fixed.
Comment 12 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-21 06:48:59 UTC
We are getting into a bit of a difficult situation here: ppc still has some building problems, and I'll be on vacation (without internet access) for two weeks starting tomorrow :( Any idea how to handle this?
Comment 13 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-21 08:01:36 UTC
Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until now - plus the security fix and one build fix.

I'd propose this for stabilizing on ppc instead (and after that removing the ppc keyword from openoffice-2.3.0 for the time being)
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-21 19:23:47 UTC
(In reply to comment #13)
> Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than
> I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree
> instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until
> now - plus the security fix and one build fix.
> 
> I'd propose this for stabilizing on ppc instead (and after that removing the
> ppc keyword from openoffice-2.3.0 for the time being)
> 

Looks like the best solution for now - i'll take a look at openoffice-2.2.1-r1.
Comment 15 Andreas Proschofsky (RETIRED) gentoo-dev 2007-09-22 05:55:27 UTC
Ok, as I'll be away now: Could someone else please also remove the old 2.2.1-ebuild (the vulnerable one) after ppc has stabilized 2.2.1-r1? Hope everything works out fine, wished this would be completed before leaving...
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-24 17:21:28 UTC
ppc please test openoffice 2.2.1-r1 or 2.3.0
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-25 17:21:13 UTC
openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE combination which is working ... we might want to issue a temp-glsa mentioning that the problem isn't fixed for ppc yet?

if test -f ../../unxlngppc.pro/slo/cli_uno_glue_version.o ; then touch ../../unxlngppc.pro/slo/cli_uno_glue_version.obj ; fi
cp -p assembly.cs ../../unxlngppc.pro/misc/assembly_cppuhelper.cs
echo ' \
        [assembly:System.Reflection.AssemblyVersion( "1.0.9.0" )] ' \
        ' [assembly:System.Reflection.AssemblyKeyFile("../../unxlngppc.pro/bin/cliuno.snk")] ' \
        >> ../../unxlngppc.pro/misc/assembly_cppuhelper.cs
dmake:  Error: -- `../../../external/cli/cli_types.dll' not found, and can't be made
'---* tg_merge.mk *---'
Comment 18 Lars Weiler (RETIRED) gentoo-dev 2007-09-26 11:45:39 UTC
(In reply to comment #17)
> openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE
> combination which is working 

I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1.  Everything's fine, beside the nasty bug about

**************************************************
ERROR: ERROR: Could not register all components!
in function: create_services_rdb
**************************************************

which hit us again.
Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-26 16:25:25 UTC
(In reply to comment #18)
> I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds
> firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java
> -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1. 
> Everything's fine, beside the nasty bug about
> 
> **************************************************
> ERROR: ERROR: Could not register all components!
> in function: create_services_rdb
> **************************************************
> 
> which hit us again.
> 

plus USE="mono" is broken
Comment 20 Andreas Proschofsky (RETIRED) gentoo-dev 2007-10-08 10:29:53 UTC
(In reply to comment #17)
> openoffice-2.2.1-r1 also seems b0rked for ppc, 

Thats bad, even though it seems to work for others, anyway: this also would mean that 2.2.1 is broken too, as it is 2.2.1-r1 minus the security fix. Weird that I never got a single report about 2.2.1 being broken on ppc in the last months...

Maybe we should move the ppc-discussion over to bug #193056, also could you please there provide your emerge info stuff?
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-17 18:32:22 UTC
ppc any news here?
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-18 05:07:13 UTC
(In reply to comment #21)
> ppc any news here?
> 

We're waiting for #193056
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-20 19:44:36 UTC
ppc stable, finally ready for glsa ... 
Comment 24 Andreas Proschofsky (RETIRED) gentoo-dev 2007-10-21 07:04:32 UTC
I've removed the vulnerable ebuilds from the tree now
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-24 22:15:38 UTC
GLSA 200710-24, thanks everybody!
Comment 26 subs 2007-12-04 00:21:36 UTC
(In reply to comment #4)
> amd64 stable
> 

Still showing as soft masked here. All of the dependencies are now stable and I've been running 2.3.0 on amd64 for a long while without any issues. Can we get it marked as stable.
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 00:39:25 UTC
(In reply to comment #26)
> (In reply to comment #4)
> > amd64 stable
> Still showing as soft masked here. All of the dependencies are now stable and
> I've been running 2.3.0 on amd64 for a long while without any issues. Can we
> get it marked as stable.

That comment was about stabling openoffice-bin, not openoffice. Since openoffice was not amd64-stable before, there is no reason to stable a new version on a security bug. If your comment was a wish to generally stable openoffice on amd64, please open a separate bug about it. I'd still guess there is a reason it is not stable.