Bug 821803 (CVE-2012-2334) - CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents
Summary: CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer...
Status: CLOSED ERRATA
Alias: CVE-2012-2334
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20120516,repo...
Keywords: Reopened, Security
Depends On: 822966 822967 822969 822970
Blocks: 821911
TreeView+ depends on / blocked
 
Reported: 2012-05-15 14:19 UTC by Jan Lieskovsky
Modified: 2019-06-08 19:07 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-05-08 18:35:31 UTC


Attachments (Terms of Use)
RHEL-5 backport (4.79 KB, patch)
2012-05-16 08:16 UTC, Caolan McNamara
no flags Details | Diff
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara (5.10 KB, patch)
2012-05-24 12:59 UTC, Jan Lieskovsky
no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 04:16 UTC, David Tardon
no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 09:51 UTC, David Tardon
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0705 normal SHIPPED_LIVE Important: openoffice.org security update 2012-06-05 00:56:53 UTC

Description Jan Lieskovsky 2012-05-15 14:19:32 UTC
An integer overflow flaw, leading to buffer overflow, was found in the way OpenOffice.org processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Upstream patches:
[1] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e

Comment 2 Jan Lieskovsky 2012-05-15 14:25:08 UTC
This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the libreoffice package, as shipped with Fedora release of 15 and 16.

Comment 4 Jan Lieskovsky 2012-05-15 14:30:06 UTC
Acknowledgements:

Upstream acknowledges Sven Jacobi as the original reporter of this issue.

Comment 5 Jan Lieskovsky 2012-05-15 14:30:33 UTC
Preliminary embargo date, proposed by upstream, is tomorrow, Wednesday, 16-th
May 2012 at 14:00 UTC time.

Comment 8 Caolan McNamara 2012-05-16 08:16:27 UTC
Created attachment 584890 [details]
RHEL-5 backport

Comment 11 Caolan McNamara 2012-05-16 13:53:27 UTC
(In reply to comment #8)
> Created attachment 584890 [details]
> RHEL-5 backport

applies and work for RHEL-6 too

Comment 12 Jan Lieskovsky 2012-05-16 15:53:44 UTC
LibreOffice upstream advisory:
[3] http://www.libreoffice.org/advisories/cve-2012-2334/

OpenOffice.org upstream advisory:
[4] http://www.openoffice.org/security/cves/CVE-2012-2334.html

Comment 14 Jan Lieskovsky 2012-05-18 17:08:04 UTC
Statement:

(none)

Comment 22 Jan Lieskovsky 2012-05-24 12:59:44 UTC
Created attachment 586622 [details]
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara

Comment 25 David Tardon 2012-05-29 04:16:18 UTC
Created attachment 587309 [details]
final patch

Comment 26 David Tardon 2012-05-29 09:51:30 UTC
Created attachment 587370 [details]
final patch

Comment 27 errata-xmlrpc 2012-06-05 01:11:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0705 https://rhn.redhat.com/errata/RHSA-2012-0705.html


Note You need to log in before you can comment on or make changes to this bug.