Bug 821803 (CVE-2012-2334) - CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents
Summary: CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2334
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 822966 822967 822969 822970
Blocks: 821911
TreeView+ depends on / blocked
 
Reported: 2012-05-15 14:19 UTC by Jan Lieskovsky
Modified: 2023-05-12 18:53 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 18:35:31 UTC
Embargoed:

Attachments (Terms of Use)
RHEL-5 backport (4.79 KB, patch)
2012-05-16 08:16 UTC, Caolan McNamara 		no flags Details | Diff
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara (5.10 KB, patch)
2012-05-24 12:59 UTC, Jan Lieskovsky 		no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 04:16 UTC, David Tardon 		no flags Details | Diff
final patch (5.10 KB, patch)
2012-05-29 09:51 UTC, David Tardon 		no flags Details | Diff
Show Obsolete (3) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0705 0 normal SHIPPED_LIVE Important: openoffice.org security update 2012-06-05 00:56:53 UTC

Description Jan Lieskovsky 2012-05-15 14:19:32 UTC 
An integer overflow flaw, leading to buffer overflow, was found in the way OpenOffice.org processed invalid Escher graphics records length in PowerPoint documents. An attacker could provide a specially-crafted PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.

Upstream patches:
[1] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[2] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e
Comment 2 Jan Lieskovsky 2012-05-15 14:25:08 UTC 
This issue affects the versions of the openoffice.org package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the libreoffice package, as shipped with Fedora release of 15 and 16.
Comment 4 Jan Lieskovsky 2012-05-15 14:30:06 UTC 
Acknowledgements:

Upstream acknowledges Sven Jacobi as the original reporter of this issue.
Comment 5 Jan Lieskovsky 2012-05-15 14:30:33 UTC 
Preliminary embargo date, proposed by upstream, is tomorrow, Wednesday, 16-th
May 2012 at 14:00 UTC time.
Comment 8 Caolan McNamara 2012-05-16 08:16:27 UTC 
Created attachment 584890 [details]
RHEL-5 backport
Comment 11 Caolan McNamara 2012-05-16 13:53:27 UTC 
(In reply to comment #8)
> Created attachment 584890 [details]
> RHEL-5 backport

applies and work for RHEL-6 too
Comment 12 Jan Lieskovsky 2012-05-16 15:53:44 UTC 
LibreOffice upstream advisory:
[3] http://www.libreoffice.org/advisories/cve-2012-2334/

OpenOffice.org upstream advisory:
[4] http://www.openoffice.org/security/cves/CVE-2012-2334.html
Comment 14 Jan Lieskovsky 2012-05-18 17:08:04 UTC 
Statement:

(none)
Comment 22 Jan Lieskovsky 2012-05-24 12:59:44 UTC 
Created attachment 586622 [details]
Updated RHEL-5 CVE-2012-2334 patch proposal from Caolan McNamara
Comment 25 David Tardon 2012-05-29 04:16:18 UTC 
Created attachment 587309 [details]
final patch
Comment 26 David Tardon 2012-05-29 09:51:30 UTC 
Created attachment 587370 [details]
final patch
Comment 27 errata-xmlrpc 2012-06-05 01:11:13 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0705 https://rhn.redhat.com/errata/RHSA-2012-0705.html
Note You need to log in before you can comment on or make changes to this bug.