Bug 821803 (CVE-2012-2334)

Summary: CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caolanm, dtardon, erack, fweimer, jrusnack, ltinkl, mjc, mstahl, sbergman, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 18:35:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 822966, 822967, 822969, 822970    
Bug Blocks: 821911    
Description Flags
RHEL-5 backport
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara
final patch
final patch none

Description Jan Lieskovsky 2012-05-15 14:19:32 UTC
An integer overflow flaw, leading to buffer overflow, was found in the way OpenOffice.org processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Upstream patches:
[1] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e

Comment 2 Jan Lieskovsky 2012-05-15 14:25:08 UTC
This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5 and 6.


This issue affects the versions of the libreoffice package, as shipped with Fedora release of 15 and 16.

Comment 4 Jan Lieskovsky 2012-05-15 14:30:06 UTC

Upstream acknowledges Sven Jacobi as the original reporter of this issue.

Comment 5 Jan Lieskovsky 2012-05-15 14:30:33 UTC
Preliminary embargo date, proposed by upstream, is tomorrow, Wednesday, 16-th
May 2012 at 14:00 UTC time.

Comment 8 Caolan McNamara 2012-05-16 08:16:27 UTC
Created attachment 584890 [details]
RHEL-5 backport

Comment 11 Caolan McNamara 2012-05-16 13:53:27 UTC
(In reply to comment #8)
> Created attachment 584890 [details]
> RHEL-5 backport

applies and work for RHEL-6 too

Comment 12 Jan Lieskovsky 2012-05-16 15:53:44 UTC
LibreOffice upstream advisory:
[3] http://www.libreoffice.org/advisories/cve-2012-2334/

OpenOffice.org upstream advisory:
[4] http://www.openoffice.org/security/cves/CVE-2012-2334.html

Comment 14 Jan Lieskovsky 2012-05-18 17:08:04 UTC


Comment 22 Jan Lieskovsky 2012-05-24 12:59:44 UTC
Created attachment 586622 [details]
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara

Comment 25 David Tardon 2012-05-29 04:16:18 UTC
Created attachment 587309 [details]
final patch

Comment 26 David Tardon 2012-05-29 09:51:30 UTC
Created attachment 587370 [details]
final patch

Comment 27 errata-xmlrpc 2012-06-05 01:11:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0705 https://rhn.redhat.com/errata/RHSA-2012-0705.html