676122 – (CVE-2018-11790) <app-office/openoffice-bin-4.1.6 Arithmetic overflow and wrap around during string length calculation (CVE-2018-11790)

Bug 676122 (CVE-2018-11790) - <app-office/openoffice-bin-4.1.6 Arithmetic overflow and wrap around during string length calculation (CVE-2018-11790)

Summary: <app-office/openoffice-bin-4.1.6 Arithmetic overflow and wrap around during s...

Status:	RESOLVED FIXED

Alias:	CVE-2018-11790

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-01-23 19:17 UTC by Sergey Torokhov
Modified:	2019-03-29 23:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	app-office/openoffice-bin-4.1.6 amd64 x86
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergey Torokhov 2019-01-23 19:17:52 UTC

Apache OpenOffice 1.4.6 was released on 18 November 2018.

There is also a closed vulnerability CVE-2018-11790 [1]
as stated on the Apache OpenOffice Security Team Bulletin page [2].

[1] https://www.openoffice.org/security/cves/CVE-2018-11790.html
[2] https://www.openoffice.org/security/bulletin.html


Chí-Thanh and Security team could you update this package?

Reproducible: Always

Comment 1 Larry the Git Cow gentoo-dev

2019-01-25 20:52:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e13b3f4bb48373edffda315d1ba240893ee385f

commit 2e13b3f4bb48373edffda315d1ba240893ee385f
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2019-01-25 20:52:03 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2019-01-25 20:52:03 +0000

    app-office/openoffice-bin: security bump to 4.1.6
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=676122
    Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 app-office/openoffice-bin/Manifest                 |  80 +++++++++
 .../openoffice-bin/openoffice-bin-4.1.6.ebuild     | 190 +++++++++++++++++++++
 2 files changed, 270 insertions(+)

Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev

2019-01-31 13:30:18 UTC

Arrches, please stabilize app-office/openoffice-4.1.6

Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev

2019-01-31 13:31:06 UTC

I meant of course
app-office/openoffice-bin-4.1.6

Comment 4 Mikle Kolyada (RETIRED) archtester

2019-02-06 11:50:19 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-15 18:21:52 UTC

x86 stable

Comment 6 Larry the Git Cow gentoo-dev

2019-02-15 19:36:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f671f5be5ab9b490609ca0eae518ea230ec64b7b

commit f671f5be5ab9b490609ca0eae518ea230ec64b7b
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2019-02-15 19:33:55 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2019-02-15 19:35:49 +0000

    app-office/openoffice-bin: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=676122
    Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 app-office/openoffice-bin/Manifest                 | 160 ------------------
 .../openoffice-bin/openoffice-bin-4.1.4.ebuild     | 188 ---------------------
 .../openoffice-bin/openoffice-bin-4.1.5.ebuild     | 188 ---------------------
 3 files changed, 536 deletions(-)