From https://bugzilla.redhat.com/show_bug.cgi?id=988832 : A NULL pointer dereference flaw was found in the way Apache OpenOffice and LibreOffice, office productivity suites, used to previously handle certain Microsoft Office Open XML format / Microsoft Office Word Macro-Enabled (DOCM) documents. A remote attacker could provide a specially-crafted DOCM format file that, when processed in some application from the Apache OpenOffice or LibreOffice suites would lead to that applications crash. References: [1] http://www.openoffice.org/security/cves/CVE-2013-4156.html [2] http://www.libreoffice.org/advisories/cve-2013-4156/
From https://bugzilla.redhat.com/show_bug.cgi?id=988834 : A security flaw was found in the way Apache OpenOffice and LibreOffice, office productivity suites, previously used to handle certain, invalid PLCF (Plex of Character Positions in File) elements when parsing selected Microsoft Office Word (DOC) format documents. A remote attacker could provide a specially-crafted DOC format file that, when processed in some application from the Apache OpenOffice or LibreOffice suites would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application. References: [1] http://www.openoffice.org/security/cves/CVE-2013-2189.html [2] http://www.libreoffice.org/advisories/CVE-2013-2189/ @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-4156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4156): Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file. CVE-2013-2189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2189): Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via invalid PLCF data in a DOC document file.
(In reply to Agostino Sarubbo from comment #1) > @maintainer(s): after the bump, in case we need to stabilize the package, > please say explicitly if it is ready for the stabilization or not. Next time CC app-office/openoffice-bin maintainer (me) too, please Arches, please stabilize app-office/openoffice-bin-4.0.1 Target keywords: amd64 x86
amd64 stable
x86 stable
Vulnerable versions have been removed from the tree.
(In reply to Chí-Thanh Christopher Nguyễn from comment #6) > Vulnerable versions have been removed from the tree. Indeed. Nothing to do for openoffice anymore
GLSA vote: no.
GLSA vote: no Closing as noglsa
