Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522060 (CVE-2104-3524) - <app-office/libreoffice-4.2.6.3: two vulnerabilities (CVE-2014-{3524,3575})
Summary: <app-office/libreoffice-4.2.6.3: two vulnerabilities (CVE-2014-{3524,3575})
Status: RESOLVED FIXED
Alias: CVE-2104-3524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://blog.documentfoundation.org/20...
Whiteboard: B3 [glsa]
Keywords:
: 521852 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-09-03 14:47 UTC by Agostino Sarubbo
Modified: 2016-03-09 18:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-03 14:47:47 UTC
From ${URL} :

Berlin, August 28, 2014 – The Document Foundation announces LibreOffice 4.3.1, the first minor release of LibreOffice 4.3 “fresh” family, with over 100 fixes (including patches for two CVEs, backported to LibreOffice 4.2.6-secfix, which is also available for 
download now).

All LibreOffice users are invited to update their installation as soon as possible to avoid security issues. This includes users who are running LibreOffice 4.2.6 as originally released on August, 5th 2014.

LibreOffice 4.3.1 and LibreOffice 4.2.6 will be shown on stage at the LibreOffice Conference in Bern, from September 3 to September 5, with a large number of sessions about development, community, marketing and migrations. The program of the event is available 
here: https://conference.libreoffice.org/2014/program.

In addition to the sessions in English, there will be a track in German focusing on open source adoptions in governments and enterprises in Switzerland, Germany and Austria: https://conference.libreoffice.org/2014/professional-user-track.

People interested in technical details about the release can access the change log here: https://wiki.documentfoundation.org/Releases/4.3.1/RC1 (fixed in RC1) and https://wiki.documentfoundation.org/Releases/4.3.1/RC2 (fixed in RC2).

CVEs patched in LibreOffice 4.3.1 and LibreOffice 4.2.6 are CVE-2014-3524 “CSV Command Injection and DDE formulas” and CVE-2014-3575 “Arbitrary File Disclosure using crafted OLE objects”.




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 16:18:30 UTC
CVE-2014-3575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3575):
  The OLE preview generation in Apache OpenOffice before 4.1.1 and
  OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data
  into documents via crafted OLE objects.
Comment 2 Andreas Sturmlechner gentoo-dev 2014-09-04 20:24:24 UTC
*** Bug 521852 has been marked as a duplicate of this bug. ***
Comment 3 Andreas K. Hüttel gentoo-dev 2014-09-09 21:33:45 UTC
I've just added 4.2.6.3 to the tree where this is fixed. Let's wait a few days and then stabilize it (including bin packages that still need to be built).
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-10 04:50:53 UTC
Will call for stabilize on or after Sept 16.
Comment 5 Andreas K. Hüttel gentoo-dev 2014-09-11 17:56:36 UTC
(In reply to Yury German from comment #4)
> Will call for stabilize on or after Sept 16.

Sounds good. Here's the list of packages to test and stabilize (all amd64 x86):

app-office/libreoffice-4.2.6.3
app-office/libreoffice-bin-4.2.6.3
app-office/libreoffice-bin-debug-4.2.6.3
app-office/libreoffice-l10n-4.2.6.3-r1
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-17 14:26:49 UTC
Arches, please test and mark stable:

=app-office/libreoffice-4.2.6.3
=app-office/libreoffice-bin-4.2.6.3
=app-office/libreoffice-bin-debug-4.2.6.3
=app-office/libreoffice-l10n-4.2.6.3-r1

Target Keywords : "amd64 x86"

Thank you!
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-18 10:10:52 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-09-19 08:35:34 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Andreas K. Hüttel gentoo-dev 2014-09-19 09:02:42 UTC
All vulnerable versions removed.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-05 20:05:05 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2015-05-11 16:32:54 UTC
Added to existing GLSA (eafa83859)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 18:10:37 UTC
This issue was resolved and addressed in
 GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05
by GLSA coordinator Kristian Fiskerstrand (K_F).