Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 416457 (CVE-2012-1149) - <app-office/libreoffice{,-bin}-3.5.4.2-r1 : Integer Overflow (CVE-2012-1149)
Summary: <app-office/libreoffice{,-bin}-3.5.4.2-r1 : Integer Overflow (CVE-2012-1149)
Status: RESOLVED FIXED
Alias: CVE-2012-1149
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.libreoffice.org/advisories...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-18 06:31 UTC by Michael Harrison
Modified: 2012-09-24 10:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-05-18 06:31:14 UTC
An integer overflow error in the vclmi.dll module when allocating memory for an embedded image object can be exploited to cause a heap-based buffer overflow e.g. via a specially crafted JPEG object within a DOC file.

This is also vulnerability #1 under 
http://secunia.com/advisories/46992/
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-24 13:19:03 UTC
Should be fixed in our tree as it was fixed in libreoffice in december.

http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-3-5&id=1387ae23816db26066ab79b0c4ad33e6e0f2d968
Comment 2 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-24 13:20:22 UTC
But hey I want to stabilise 3.5.4.2 anyway, so lets use this bug as arches at least do it faster ^_^
Comment 3 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-24 13:21:33 UTC
I think it was announced now because apache-oo has finaly release.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-05-25 03:27:12 UTC
Thanks, Tomáš. 3.5.3 is listed as first fixed releases. Do we want to stabilize =app-office/libreoffice-3.5.3.2, 3.5.4.2, or something else? And would you mind adding a fixed libreoffice-bin too please?
Comment 5 Andreas K. Hüttel gentoo-dev 2012-05-26 21:47:57 UTC
(In reply to comment #2)
> But hey I want to stabilise 3.5.4.2 anyway, so lets use this bug as arches
> at least do it faster ^_^

(In reply to comment #4)
> Thanks, Tomáš. 3.5.3 is listed as first fixed releases. Do we want to
> stabilize =app-office/libreoffice-3.5.3.2, 3.5.4.2, or something else? And
> would you mind adding a fixed libreoffice-bin too please?

I'd say stabilization candidate is 3.5.4.2 (as Tomas stated above), but we should probably wait until that version has made the step from "official rc, highly likely to be identical to final" to "official 3.5.4 release".

I'll prepare the binaries as soon as the source packages are stable.
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-29 09:07:13 UTC
Lets roll:

Arches please test and stabilise app-office/libreoffice-3.5.4.2-r1.

Cheers

Tom
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-29 12:05:02 UTC
ppc done.
Comment 8 Maurizio Camisaschi (amd64 AT) 2012-05-29 21:55:10 UTC
amd64 ok
Comment 9 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-30 00:46:35 UTC
amd64: pass
Comment 10 Agostino Sarubbo gentoo-dev 2012-05-30 09:03:31 UTC
libreoffice-3.5.4.2-r1.ebuild stable for amd64, thanks k01 and Armageddon.
Comment 11 Andreas K. Hüttel gentoo-dev 2012-05-30 10:49:44 UTC
Just for the record, I'll redo the binaries after the sources are stable (so there is a consistent set of libraries to build against).
Comment 12 Andreas Schürch gentoo-dev 2012-05-31 11:46:38 UTC
x86 stable.
Comment 13 Agostino Sarubbo gentoo-dev 2012-05-31 11:49:49 UTC
@office, go ahead with building of -bin packages.
Comment 14 Andreas K. Hüttel gentoo-dev 2012-06-03 10:47:01 UTC
Binary packages are up... Arches please test and stabilize

app-office/libreoffice-bin-3.5.4.2-r1
app-office/libreoffice-bin-debug-3.5.4.2-r1

Target amd64 x86
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2012-06-03 16:52:02 UTC
x86:
all binary  install ok. (tried install with specific USE flags: no problems for me). Also all *DEPEND  compiles ok. I'm not see problems and no complaints from repoman.
libreoffice-bin-debug: in src_install() does not exist || die for trivial install method, please check and fix it.
Please mark stable for x86.
Comment 16 Andreas K. Hüttel gentoo-dev 2012-06-03 22:48:17 UTC
(In reply to comment #15)
> libreoffice-bin-debug: in src_install() does not exist || die for trivial
> install method, please check and fix it.

"|| die" added, thanks
Comment 17 Maurizio Camisaschi (amd64 AT) 2012-06-04 10:20:06 UTC
(In reply to comment #14)
> app-office/libreoffice-bin-3.5.4.2-r1
> app-office/libreoffice-bin-debug-3.5.4.2-r1

amd64 ok
Comment 18 Agostino Sarubbo gentoo-dev 2012-06-04 10:31:51 UTC
amd64 stable
Comment 19 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-06-08 11:45:42 UTC
x86 stable
Comment 20 Andreas K. Hüttel gentoo-dev 2012-06-08 11:51:41 UTC
(In reply to comment #19)
> x86 stable

app-office/libreoffice-bin-debug-3.5.4.2-r1 is missing
Comment 21 Johannes Huber gentoo-dev 2012-06-15 10:22:44 UTC
>  11 Jun 2012; Jeff Horelick <jdhore@gentoo.org>
>  -libreoffice-bin-debug-3.5.2.2-r1.ebuild:
>  Remove old (broken) version.

>  11 Jun 2012; Jeff Horelick <jdhore@gentoo.org>
>  libreoffice-bin-debug-3.5.4.2-r1.ebuild:
>  marked x86 per dilfridge
Comment 22 Sean Amoss gentoo-dev Security 2012-06-15 11:59:28 UTC
Thanks, everyone. 

Adding to existing GLSA request.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 10:56:59 UTC
This issue was resolved and addressed in
 GLSA 201209-05 at http://security.gentoo.org/glsa/glsa-201209-05.xml
by GLSA coordinator Sean Amoss (ackle).