Bug 821803 – CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 821803 - (CVE-2012-2334) CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents

Summary:	CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer...

Status:	CLOSED ERRATA

Aliases:	CVE-2012-2334

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20120516,repo...
Keywords:	Reopened, Security

Depends On:	822966 822967 822969 822970
Blocks:	821911
	Show dependency tree / graph

Reported:	2012-05-15 10:19 EDT by Jan Lieskovsky
Modified:	2016-01-26 07:18 EST (History)
CC List:	10 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-05-08 14:35:31 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
RHEL-5 backport (4.79 KB, patch) 2012-05-16 04:16 EDT, Caolan McNamara	no flags	Details \| Diff
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara (5.10 KB, patch) 2012-05-24 08:59 EDT, Jan Lieskovsky	no flags	Details \| Diff
final patch (5.10 KB, patch) 2012-05-29 00:16 EDT, David Tardon	no flags	Details \| Diff
final patch (5.10 KB, patch) 2012-05-29 05:51 EDT, David Tardon	no flags	Details \| Diff
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0705	normal	SHIPPED_LIVE	Important: openoffice.org security update	2012-06-04 20:56:53 EDT

Groups: None (edit)

Description Jan Lieskovsky 2012-05-15 10:19:32 EDT

An integer overflow flaw, leading to buffer overflow, was found in the way OpenOffice.org processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Upstream patches:
[1] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e

Comment 2 Jan Lieskovsky 2012-05-15 10:25:08 EDT

This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the libreoffice package, as shipped with Fedora release of 15 and 16.

Comment 4 Jan Lieskovsky 2012-05-15 10:30:06 EDT

Acknowledgements:

Upstream acknowledges Sven Jacobi as the original reporter of this issue.

Comment 5 Jan Lieskovsky 2012-05-15 10:30:33 EDT

Preliminary embargo date, proposed by upstream, is tomorrow, Wednesday, 16-th
May 2012 at 14:00 UTC time.

Comment 8 Caolan McNamara 2012-05-16 04:16:27 EDT

Created attachment 584890 [details]
RHEL-5 backport

Comment 11 Caolan McNamara 2012-05-16 09:53:27 EDT

(In reply to comment #8)
> Created attachment 584890 [details]
> RHEL-5 backport

applies and work for RHEL-6 too

Comment 12 Jan Lieskovsky 2012-05-16 11:53:44 EDT

LibreOffice upstream advisory:
[3] http://www.libreoffice.org/advisories/cve-2012-2334/

OpenOffice.org upstream advisory:
[4] http://www.openoffice.org/security/cves/CVE-2012-2334.html

Comment 14 Jan Lieskovsky 2012-05-18 13:08:04 EDT

Statement:

(none)

Comment 22 Jan Lieskovsky 2012-05-24 08:59:44 EDT

Created attachment 586622 [details]
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara

Comment 25 David Tardon 2012-05-29 00:16:18 EDT

Created attachment 587309 [details]
final patch

Comment 26 David Tardon 2012-05-29 05:51:30 EDT

Created attachment 587370 [details]
final patch

Comment 27 errata-xmlrpc 2012-06-04 21:11:13 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0705 https://rhn.redhat.com/errata/RHSA-2012-0705.html

Note You need to log in before you can comment on or make changes to this bug.