Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409455 - <app-office/libreoffice-{3.5.2.2,bin-3.5.2.2-r1}: XML Entity Expansion flaw by processing RDF file (CVE-2012-0037)
Summary: <app-office/libreoffice-{3.5.2.2,bin-3.5.2.2-r1}: XML Entity Expansion flaw b...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.libreoffice.org/advisorie...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 411449
Blocks:
  Show dependency tree
 
Reported: 2012-03-23 15:28 UTC by Agostino Sarubbo
Modified: 2019-06-11 14:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-23 15:28:56 UTC
From upstream advisory at $URL: 

An XML Entity Expansion flaw was found in the way embedded Raptor library processed certain RDF and other XML-based format files. An attacker could create a specially-crafted file in an affected LibreOffice format which when opened could cause arbitrary code execution or local file inclusion.
Comment 1 Agostino Sarubbo gentoo-dev 2012-03-23 15:41:31 UTC
@security:

1) Some info for the glsa:

The first fixed version of libreoffice for all arches is 3.4.3.2-r1
The first fixed version of libreoffice-bin only for amd64 is: 3.4.3.2-r1
x86 seems have problem with 3.4 series and probably will stabilize 3.5

2)The original raptor issue seems B4, but the libreoffice advisory says execution of code, what about it?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-25 03:15:20 UTC
Thanks, folks. Looks like stabilization of app-office/libreoffice-{3.5.2.2,bin-3.5.2.2-r1} was completed via bug 411449. GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 10:56:57 UTC
This issue was resolved and addressed in
 GLSA 201209-05 at http://security.gentoo.org/glsa/glsa-201209-05.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-06-11 14:48:44 UTC
Remove invalid encoded alias.