Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528438 (CVE-2014-3693) - <app-office/libreoffice{-bin,-bin-debug,-l10n}-4.2.8.2: Use-After-Free in socket manager of Impress Remote (CVE-2014-3693)
Summary: <app-office/libreoffice{-bin,-bin-debug,-l10n}-4.2.8.2: Use-After-Free in soc...
Status: RESOLVED FIXED
Alias: CVE-2014-3693
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.libreoffice.org/about-us/s...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-06 13:49 UTC by Agostino Sarubbo
Modified: 2016-03-09 18:10 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-06 13:49:11 UTC
From ${URL} :

Title: CVE-2014-3693 Use-After-Free in socket manager of Impress Remote

Announced: November  05, 2014

Fixed in: LibreOffice 4.2.7/4.3.3

Description:

In LibreOffice 4.0.0 and later, a new feature was added for remote control capabilities in Impress. Users can run a smart phone
application to communicate with Impress over a custom protocol to switch slides and the like. By default whenever Impress is started, it immediately began listening on TCP port 1599 on all interfaces.

But there was a use after free bug in the code managing that port leaving LibreOffice vulnerable to  external attackers with access to that port where those external attackers could cause the deleted port manager to continue to process attacker supplied data.

All users are recommended to upgrade to LibreOffice 4.2.7 or 4.3.3.

The impress remote can be disabled by:

1. Open LibreOffice, go to "Tools -> Options..."
2. Select "LibreOffice Impress -> General"
3. Uncheck "Presentation -> Enable remote control"



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel gentoo-dev 2014-12-28 19:34:46 UTC
I'm preparing a bump of Libreoffice 4.2.8.2, for this bug and for the Boost 1.56 build fix from bug 522178.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-12-29 08:03:57 UTC
CVE-2014-3693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3693):
  Use-after-free vulnerability in the socket manager of Impress Remote in
  LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers
  to cause a denial of service (crash) or possibly execute arbitrary code via
  a crafted request to TCP port 1599.
Comment 3 Andreas K. Hüttel gentoo-dev 2014-12-29 21:29:38 UTC
I have bumped LibreOffice 4.2.8.2, which is a stable branch bugfix release and addresses (amongst other things) this issue. 

Since all my machines run 4.3 and I can't downgrade, this is a blind bump, only build-tested.

Arches please TEST (i.e., build, run, play with it for a while) and stabilize

app-office/libreoffice-4.2.8.2
app-office/libreoffice-l10n-4.2.8.2
app-office/libreoffice-bin-4.2.8.2
app-office/libreoffice-bin-debug-4.2.8.2

Target: amd64 x86

NOTE: for libreoffice-bin, this depends >> only on x86 << still on bug 523164 (poppler and icu stabilization) and bug 525286 (boost stabilization), both long pending...
Comment 4 Toralf Förster gentoo-dev 2014-12-30 13:15:06 UTC
(In reply to Agostino Sarubbo from comment #0)

> 1. Open LibreOffice, go to "Tools -> Options..."
> 2. Select "LibreOffice Impress -> General"
> 3. Uncheck "Presentation -> Enable remote control"

In amd64 app-office/libreoffice-l10n-4.2.6.3-r1 I do not find this option
Comment 5 Toralf Förster gentoo-dev 2014-12-30 13:15:37 UTC
(In reply to Toralf Förster from comment #4)
 
> In amd64 app-office/libreoffice-l10n-4.2.6.3-r1 I do not find this option
I meant app-office/libreoffice-bin-4.2.6.3-r2
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-02 13:40:26 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-02 13:48:42 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Andreas K. Hüttel gentoo-dev 2015-01-03 14:45:32 UTC
All vulnerable versions removed. Office out.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-07 02:22:34 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 10 Kristian Fiskerstrand gentoo-dev Security 2015-02-01 11:25:23 UTC
GLSA Vote: Yes. 

New request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-03-09 18:10:46 UTC
This issue was resolved and addressed in
 GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05
by GLSA coordinator Kristian Fiskerstrand (K_F).