Bug 821803 - (CVE-2012-2334) CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents
CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120516,repo...
: Reopened, Security
Depends On: 822966 822967 822969 822970
Blocks: 821911
  Show dependency treegraph
 
Reported: 2012-05-15 10:19 EDT by Jan Lieskovsky
Modified: 2016-01-26 07:18 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 14:35:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
RHEL-5 backport (4.79 KB, patch)
2012-05-16 04:16 EDT, Caolan McNamara
no flags Details | Diff
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara (5.10 KB, patch)
2012-05-24 08:59 EDT, Jan Lieskovsky
no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 00:16 EDT, David Tardon
no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 05:51 EDT, David Tardon
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-05-15 10:19:32 EDT
An integer overflow flaw, leading to buffer overflow, was found in the way OpenOffice.org processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Upstream patches:
[1] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e
Comment 2 Jan Lieskovsky 2012-05-15 10:25:08 EDT
This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the libreoffice package, as shipped with Fedora release of 15 and 16.
Comment 4 Jan Lieskovsky 2012-05-15 10:30:06 EDT
Acknowledgements:

Upstream acknowledges Sven Jacobi as the original reporter of this issue.
Comment 5 Jan Lieskovsky 2012-05-15 10:30:33 EDT
Preliminary embargo date, proposed by upstream, is tomorrow, Wednesday, 16-th
May 2012 at 14:00 UTC time.
Comment 8 Caolan McNamara 2012-05-16 04:16:27 EDT
Created attachment 584890 [details]
RHEL-5 backport
Comment 11 Caolan McNamara 2012-05-16 09:53:27 EDT
(In reply to comment #8)
> Created attachment 584890 [details]
> RHEL-5 backport

applies and work for RHEL-6 too
Comment 12 Jan Lieskovsky 2012-05-16 11:53:44 EDT
LibreOffice upstream advisory:
[3] http://www.libreoffice.org/advisories/cve-2012-2334/

OpenOffice.org upstream advisory:
[4] http://www.openoffice.org/security/cves/CVE-2012-2334.html
Comment 14 Jan Lieskovsky 2012-05-18 13:08:04 EDT
Statement:

(none)
Comment 22 Jan Lieskovsky 2012-05-24 08:59:44 EDT
Created attachment 586622 [details]
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara
Comment 25 David Tardon 2012-05-29 00:16:18 EDT
Created attachment 587309 [details]
final patch
Comment 26 David Tardon 2012-05-29 05:51:30 EDT
Created attachment 587370 [details]
final patch
Comment 27 errata-xmlrpc 2012-06-04 21:11:13 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0705 https://rhn.redhat.com/errata/RHSA-2012-0705.html

Note You need to log in before you can comment on or make changes to this bug.