Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 514886 (CVE-2014-0247) - <app-office/libreoffice{,-bin}-4.2.5.2: VBA macros executed unconditionally (CVE-2014-0247)
Summary: <app-office/libreoffice{,-bin}-4.2.5.2: VBA macros executed unconditionally (...
Status: RESOLVED FIXED
Alias: CVE-2014-0247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
: 511144 514374 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-06-24 10:40 UTC by Agostino Sarubbo
Modified: 2014-09-03 21:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-24 10:40:18 UTC
From ${URL} :

It was found that LibreOffice documents executed macros unconditionally, without user approval, 
when these documents were opened using LibreOffice. A attacker could use this flaw to execute 
arbitray code as the user running LibreOffice, by embedding malicious VBA scripts in the document 
as macros.

The following commit fixes this issue:
http://cgit.freedesktop.org/libreoffice/core/commit/?id=1b0402f87c9b17fef2141130bfaa1798ece6ba0d


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2014-06-24 21:33:50 UTC
Version bump is on the way (build testing now).
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2014-06-24 21:35:17 UTC
*** Bug 514374 has been marked as a duplicate of this bug. ***
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2014-06-25 12:55:31 UTC
app-office/libreoffice-4.2.5.2 and app-office/libreoffice-l10n-4.2.5.2 bumped.

Let's give it a few days in ~arch now to find obvious problems. 
Binary packages in preparation.
Comment 4 Agostino Sarubbo gentoo-dev 2014-06-25 13:49:58 UTC
(In reply to Andreas K. Hüttel from comment #3)
> app-office/libreoffice-4.2.5.2 and app-office/libreoffice-l10n-4.2.5.2
> bumped.
> 
> Let's give it a few days in ~arch now to find obvious problems. 
> Binary packages in preparation.

Thanks Andreas for the work.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2014-06-28 12:54:02 UTC
Arches please *test* (especially the bin packages, since I cannot test much there) and then if all is OK mark stable:

Target: amd64 x86

=app-office/libreoffice-4.2.5.2
=app-office/libreoffice-l10n-4.2.5.2
=app-office/libreoffice-bin-4.2.5.2
=app-office/libreoffice-bin-debug-4.2.5.2

On x86 the following dependencies are still missing and need be stabilized at the same time, too:

=dev-libs/icu-52.1
=dev-cpp/libcmis-0.4.1
=media-libs/libfreehand-0.0.0
=dev-util/mdds-0.10.3
=app-text/libetonyek-0.0.3
=app-text/libabw-0.0.2
=app-text/libodfgen-0.0.4
=app-text/libebook-0.0.2
=app-text/libmwaw-0.2.0

Known minor issues: 
* The USE=kde variant does not use the KDE file dialogs right now but the default internal ones. We can't do much here since our Qt packages are missing some critical fixes (bug 514968).
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2014-06-28 12:55:20 UTC
*** Bug 511144 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2014-06-29 12:29:32 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-06-29 16:43:45 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2014-06-29 18:24:27 UTC
All vulnerable versions removed. Thanks everyone.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 14:46:14 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:22:03 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 21:53:18 UTC
CVE-2014-0247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0247):
  LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has
  unspecified impact and attack vectors, possibly related to
  doc/docmacromode.cxx.