Bug 1507805 (CVE-2017-12607)

Summary: CVE-2017-12607 libreoffice: Out-of-bounds write in the PPTStyleSheet::PPTStyleSheet functionality
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, caolanm, dtardon, erack, mstahl, sbergman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreoffice 5.0.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-31 09:23:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1507808    
Bug Blocks: 1507560    

Description Andrej Nemec 2017-10-31 08:20:30 UTC 
An exploitable out of bound write vulnerability exists in the PPTStyleSheet::PPTStyleSheet functionality of Apache OpenOffice. A specially crafted PPT file can cause an out of bound write resulting in arbitrary code execution. An attacker can send/provide a malicious PPT file to trigger this vulnerability.

External References:

https://www.talosintelligence.com/reports/TALOS-2017-0300
https://www.openoffice.org/security/cves/CVE-2017-12607.html
https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12607
Comment 1 Andrej Nemec 2017-10-31 08:23:06 UTC 
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1507808]
Comment 2 David Tardon 2017-10-31 08:52:23 UTC 
At a glance, this should be addressed by https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=6c401a7bdc4e0f5340203b9885e368cb96986aa1 . Is it possible to get a reproducer?
Comment 3 David Tardon 2017-10-31 09:08:24 UTC 
The actual commit fixing this is https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 -> no current Fedora is vulnerable.
Comment 4 Huzaifa S. Sidhpurwala 2017-10-31 09:23:45 UTC 
As per LibreOffice upstream advisory mentioned in comment 0, this issue is fixed in version 5.0.2, hence only the version shipped with Red Hat Enterprise Linux 6 is vulnerable.