Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 565026 - <app-office/libreoffice-{bin}-5.0.3.2, <app-office/openoffice-bin-4.1.2: multiple vulnerabilities (CVE-2015-{4551,5212,5213,5214})
Summary: <app-office/libreoffice-{bin}-5.0.3.2, <app-office/openoffice-bin-4.1.2: mult...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-06 15:25 UTC by Agostino Sarubbo
Modified: 2016-11-04 07:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-11-06 15:25:13 UTC
From http://www.libreoffice.org/about-us/security/advisories/ :


Fixed in LibreOffice 4.4.6/5.0.0
CVE-2015-5214 DOC Bookmark Status Memory Corruption

Fixed in LibreOffice 4.4.5/5.0.0
CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
CVE-2015-5213 DOC piecetable Integer Overflow
Comment 1 Andreas K. Hüttel gentoo-dev 2015-11-08 11:44:45 UTC
We're going for 5.0.3.2 as stabilization target (which was bumped today; I guess we can wait for a few days here to make sure nothing's obviously wrong with it).

[Note that the crashy gtk3 frontend will be stable.masked.]

I'm preparing the binary packages.
Comment 2 Andreas K. Hüttel gentoo-dev 2015-11-23 23:32:00 UTC
Arches please test and stabilize, target "amd64 x86"

=app-office/libreoffice-5.0.3.2
=app-office/libreoffice-l10n-5.0.3.2
=app-office/libreoffice-bin-5.0.3.2
=app-office/libreoffice-bin-debug-5.0.3.2
=app-text/libmwaw-0.3.6
=app-text/libwps-0.4.2

Please especially do some runtime testing (i.e. start the program and play with it) of the binary package app-office/libreoffice-bin.

Note, you can disregard any bugs about crashy behaviour with USE=gtk3; the gtk3 frontend is indeed unstable and the useflag has been stable.masked for libreoffice-5.[01]*
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-24 23:13:05 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-24 23:13:59 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Andreas K. Hüttel gentoo-dev 2015-11-28 00:14:53 UTC
All vulnerable versions removed. As detailed in comment #0, 4.4.6 can stay.

(In reply to Agostino Sarubbo from comment #0)
> From http://www.libreoffice.org/about-us/security/advisories/ :
> 
> 
> Fixed in LibreOffice 4.4.6/5.0.0
> CVE-2015-5214 DOC Bookmark Status Memory Corruption
> 
> Fixed in LibreOffice 4.4.5/5.0.0
> CVE-2015-4551 Arbitrary file disclosure in Calc and Writer
> CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length)
> CVE-2015-5213 DOC piecetable Integer Overflow
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-08 01:02:09 UTC
Added to an existing GLSA Request.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-17 10:02:03 UTC
app-office/openoffice-bin was missed.

@maintainer(s), please clean the vulnerable version from the tree:

=app-office/openoffice-bin-4.1.1
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-11-04 07:57:31 UTC
This issue was resolved and addressed in
 GLSA 201611-03 at https://security.gentoo.org/glsa/201611-03
by GLSA coordinator Aaron Bauman (b-man).