Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409509 - <app-office/openoffice-bin-3.4.0 : XML Entity Expansion flaw by processing RDF file (CVE-2012-0037), multiple vulnerabilities (CVE-2012-{1149,2149,2334})
Summary: <app-office/openoffice-bin-3.4.0 : XML Entity Expansion flaw by processing RD...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: CVE-2011-2713
  Show dependency tree
Reported: 2012-03-24 09:30 UTC by Agostino Sarubbo
Modified: 2014-08-31 15:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

openoffice-bin-3.4.0_rc1.ebuild (openoffice-bin-3.4.0_rc1.ebuild,6.42 KB, text/plain)
2012-04-19 23:41 UTC, Chí-Thanh Christopher Nguyễn
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-24 09:30:43 UTC
Same of bug 409455

An XML Entity Expansion flaw was found in the way embedded Raptor library processed certain RDF and other XML-based format files. An attacker could create a specially-crafted file in an affected LibreOffice format which when opened could cause arbitrary code execution or local file inclusion.
Comment 1 Agostino Sarubbo gentoo-dev 2012-03-24 09:31:27 UTC
I add [upstream] because they have not yet released a fixed bin.
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-03-24 10:03:43 UTC
According to upstream, this is only a data leakage vulnerability (disclosure of arbitrary files).

A workaround is to save untrusted files in ODF 1.0/1.1 format, which will avoid the vulnerable code.

Upstream has provided instructions on how to fix this vulnerability. I will investigate whether following these instructions or packaging a 3.4 developer snapshot is preferable.
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-04-19 09:21:33 UTC
OpenOffice 3.4 RC1 has been released, an ebuild is coming up.
Comment 4 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-04-19 23:41:08 UTC
Created attachment 309549 [details]

ebuild will be added to portage once an official announcement from AOO exists.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-05-13 16:28:37 UTC
Rerating B2 for code execution. Added to GLSA request.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-05-13 16:31:42 UTC
Ok, I see c2 now. Looking around, it seems this may or may not allow code execution. Need to research before publishing GLSA...
Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-05-18 22:11:57 UTC
More vulnerabilities were disclosed. All are fixed in 3.4.0. Adding to this bug per underling on IRC:

CVE-2012-1149 integer overflow error in vclmi.dll module when allocating memory for an embedded image object

CVE-2012-2149 memory overwrite vulnerability

CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in 3.3.0

Code execution is possible through CVE-2012-2149.
Comment 8 Michael Harrison 2012-05-19 08:24:48 UTC
CVE-2012-1149 specifically pertains to libreoffice and bug 416457 was created for it prior to the above comment.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:50:49 UTC
CVE-2012-2334 (
  Integer overflow in filter/source/msfilter/msdffimp.cxx in
  (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3,
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via the length of an Escher graphics record in a
  PowerPoint (.ppt) document, which triggers a buffer overflow.

CVE-2012-2149 (
  The WPXContentListener::_closeTableRow function in WPXContentListener.cpp in
  libwpd 0.8.8, as used by (OOo) before 3.4, allows remote
  attackers to execute arbitrary code via a crafted Wordperfect .WPD document
  that causes a negative array index to be used.  NOTE: some sources report
  this issue as an integer overflow.

CVE-2012-1149 (
  Integer overflow in the vclmi.dll module in (OOo) 3.3, 3.4
  Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote
  attackers to cause a denial of service (application crash) and possibly
  execute arbitrary code via a crafted embedded image object, as demonstrated
  by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow.

CVE-2012-0037 (
  Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and
  3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other
  products, allows user-assisted remote attackers to read arbitrary files via
  a crafted XML external entity (XXE) declaration and reference in an RDF
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:21:47 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at
by GLSA coordinator Kristian Fiskerstrand (K_F).