Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616472 (CVE-2016-10327, CVE-2017-7856, CVE-2017-7870, CVE-2017-7882) - <app-office/libreoffice-5.2.7.2: Multiple vulnerabilities
Summary: <app-office/libreoffice-5.2.7.2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10327, CVE-2017-7856, CVE-2017-7870, CVE-2017-7882
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-24 11:40 UTC by Agostino Sarubbo
Modified: 2017-06-27 10:06 UTC (History)
0 users

See Also:
Package list:
=app-office/libreoffice-5.2.7.2 =app-office/libreoffice-l10n-5.2.7.2 =app-office/libreoffice-bin-5.2.7.2 =app-office/libreoffice-bin-debug-5.2.7.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-24 11:40:59 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1444053:

LibreOffice has an out-of-bounds write caused by a heap-based buffer overflow related to the EnhWMFReader::ReadEnhWMF function in vcl/source/filter/wmf/enhwmf.cxx.
References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=313
Upstream patch:
https://github.com/LibreOffice/core/commit/7485fc2a1484f31631f62f97e5c64c0ae74c6416


From https://bugzilla.redhat.com/show_bug.cgi?id=1444061:

LibreOffice has an out-of-bounds write caused by a heap-based buffer overflow related to the tools::Polygon::Insert function in tools/source/generic/poly.cxx.
References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=372
Upstream patch:
https://github.com/LibreOffice/core/commit/62a97e6a561ce65e88d4c537a1b82c336f012722


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-04-27 19:01:24 UTC
CVE-2017-7882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7882):
  LibreOffice before 2017-03-14 has an out-of-bounds write related to the
  HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx.

CVE-2017-7870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7870):
  LibreOffice before 2017-01-02 has an out-of-bounds write caused by a
  heap-based buffer overflow related to the tools::Polygon::Insert function in
  tools/source/generic/poly.cxx.

CVE-2017-7856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7856):
  LibreOffice before 2017-03-11 has an out-of-bounds write caused by a
  heap-based buffer overflow in the SVMConverter::ImplConvertFromSVM1 function
  in vcl/source/gdi/svmconverter.cxx.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-04-28 21:26:48 UTC

TL;DR: 
* Two of these issues have never been in *any* LO release.
* Two of these issues are present in current stable and will be fixed in LO 5.2.7, to be released within the next days ("Week 18 , May 1, 2017 - May 7, 2017").

I guess this merits waiting.

------------------------------


> From https://bugzilla.redhat.com/show_bug.cgi?id=1444053:
> LibreOffice has an out-of-bounds write caused by a heap-based buffer
> overflow related to the EnhWMFReader::ReadEnhWMF function in
> vcl/source/filter/wmf/enhwmf.cxx.
> References:
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=313
> Upstream patch:
> https://github.com/LibreOffice/core/commit/
> 7485fc2a1484f31631f62f97e5c64c0ae74c6416

This is CVE-2016-10327. The bug was present in the 5.2 branch and a fix has been backported upstream. 
f84516a348ea8e05bbf89816505a6041e711ebfd


> CVE-2017-7882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7882):
>   LibreOffice before 2017-03-14 has an out-of-bounds write related to the
>   HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx.

^ The affected versions statement in the CVE is incorrect. This code has never been in the Libreoffice 5.2 branch or 5.3 branch. No release with this code exists.


> CVE-2017-7870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7870):
>   LibreOffice before 2017-01-02 has an out-of-bounds write caused by a
>   heap-based buffer overflow related to the tools::Polygon::Insert function
> in
>   tools/source/generic/poly.cxx.

> From https://bugzilla.redhat.com/show_bug.cgi?id=1444061:
> LibreOffice has an out-of-bounds write caused by a heap-based buffer
> overflow related to the tools::Polygon::Insert function in
> tools/source/generic/poly.cxx.
> References:
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=372
> Upstream patch:
> https://github.com/LibreOffice/core/commit/
> 62a97e6a561ce65e88d4c537a1b82c336f012722

The bug is present in the 5.2 branch, a fix has been backported upstream
28e1680182666c13599b744efca8e0ebd08706d5


> CVE-2017-7856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7856):
>   LibreOffice before 2017-03-11 has an out-of-bounds write caused by a
>   heap-based buffer overflow in the SVMConverter::ImplConvertFromSVM1
> function
>   in vcl/source/gdi/svmconverter.cxx.

^ The affected versions statement in the CVE is incorrect. This code has never been in the Libreoffice 5.2 branch or 5.3 branch. No release with this code exists.
Comment 3 Andreas Sturmlechner gentoo-dev 2017-05-05 21:25:35 UTC
(In reply to Andreas K. Hüttel from comment #2)
> * Two of these issues are present in current stable and will be fixed in LO
> 5.2.7, to be released within the next days ("Week 18 , May 1, 2017 - May 7,
> 2017").
5.2.7.2 has entered tree with commit eadc94d6ffda9daa6d32724a450e089cbc8e602d
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 06:16:59 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-05-21 07:33:32 UTC
Has been in tree for a week, Calling for stabilization.

Arches, please test and mark stable:

=app-office/libreoffice-5.2.7.2

Target Keywords : "amd64 x86"

Thank you!
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-21 09:15:05 UTC
what about -bin ?
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2017-05-21 10:22:54 UTC
(In reply to Yury German from comment #5)
> Has been in tree for a week, Calling for stabilization.
> 
> Arches, please test and mark stable:
> 
> =app-office/libreoffice-5.2.7.2
> 
> Target Keywords : "amd64 x86"
> 
> Thank you!

Nope. Hands off.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2017-05-21 10:57:11 UTC
It takes some time to make the binary packages (and would even take more time if Patrick hadn't given me access to his personal build server).

Arches please stabilize amd64 x86

=app-office/libreoffice-5.2.7.2
=app-office/libreoffice-l10n-5.2.7.2
=app-office/libreoffice-bin-5.2.7.2
=app-office/libreoffice-bin-debug-5.2.7.2
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-22 06:50:00 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-22 09:25:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2017-05-28 22:12:32 UTC
Cleanup done
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-06-08 18:53:15 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-06-27 10:06:58 UTC
This issue was resolved and addressed in
 GLSA 201706-28 at https://security.gentoo.org/glsa/201706-28
by GLSA coordinator Thomas Deutschmann (whissi).