Bug 1138882 (CVE-2014-3575)

Summary: CVE-2014-3575 openoffice: Arbitrary file disclosure via crafted OLE objects
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caolanm, dtardon, erack, jrusnack, ltinkl, mstahl, sbergman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openoffice.org 4.1.1 Doc Type: Bug Fix
Doc Text:
A flaw was found in the OLE (Object Linking and Embedding) generation in LibreOffice. An attacker could use this flaw to embed malicious OLE code in a LibreOffice document, allowing for arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-10 03:13:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1139592, 1164736    
Bug Blocks: 1121513, 1138878    

Description Vincent Danen 2014-09-05 22:31:38 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3575 to
the following vulnerability:

Name: CVE-2014-3575
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3575
Assigned: 20140514
Reference: BUGTRAQ:20140821 CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE Objects
Reference: http://archives.neohapsis.com/archives/bugtraq/2014-08/0115.html
Reference: SECTRACK:1030754
Reference: http://www.securitytracker.com/id/1030754
Reference: XF:apache-openoffice-cve20143575-info-disc(95420)
Reference: http://xforce.iss.net/xforce/xfdb/95420

The OLE preview generation in Apache OpenOffice before 4.1.1 and
OpenOffice.org (OOo) might allow remote attackers to embed arbitrary
data into documents via crafted OLE objects.
Comment 3 Huzaifa S. Sidhpurwala 2014-09-09 09:40:00 UTC 
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1139592]
Comment 6 Huzaifa S. Sidhpurwala 2014-11-26 07:08:13 UTC 
As per the upstream advisory:

The vulnerability allows an attacker to send a document which when opened will trigger the prompt to "Update Links" but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.

Reference:

http://www.libreoffice.org/about-us/security/advisories/cve-2014-3575/
Comment 7 Huzaifa S. Sidhpurwala 2014-11-27 05:06:42 UTC 
Mitigation:

- Whenever possible, exercise caution when opening documents sent by unknown/untrusted parties.

- If "Update Links" dialog is seen, when opening a document, do not send this document to others, since it may be possible that local files got attached to the document. (The exploit only works when the document is sent over to the attacker after opening it on your system using LibreOffice/OpenOffice)
Comment 8 Huzaifa S. Sidhpurwala 2014-11-27 05:12:14 UTC 
Statement:

This issue affects the version of OpenOffice.org as shipped in Red Hat Enterprise Linux 5, and the version of LibreOffice as shipped in Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this issue as having Moderate security impact and is not planned to be addressed in any future updates.
Comment 9 errata-xmlrpc 2015-03-05 08:51:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0377 https://rhn.redhat.com/errata/RHSA-2015-0377.html