Bug 1507805 (CVE-2017-12607) - CVE-2017-12607 libreoffice: Out-of-bounds write in the PPTStyleSheet::PPTStyleSheet functionality
Summary: CVE-2017-12607 libreoffice: Out-of-bounds write in the PPTStyleSheet::PPTStyl...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-12607
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1507808
Blocks: 1507560
TreeView+ depends on / blocked
 
Reported: 2017-10-31 08:20 UTC by Andrej Nemec
Modified: 2021-02-17 01:18 UTC (History)
6 users (show)

Fixed In Version: libreoffice 5.0.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-31 09:23:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-10-31 08:20:30 UTC
An exploitable out of bound write vulnerability exists in the PPTStyleSheet::PPTStyleSheet functionality of Apache OpenOffice. A specially crafted PPT file can cause an out of bound write resulting in arbitrary code execution. An attacker can send/provide a malicious PPT file to trigger this vulnerability.

External References:

https://www.talosintelligence.com/reports/TALOS-2017-0300
https://www.openoffice.org/security/cves/CVE-2017-12607.html
https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12607

Comment 1 Andrej Nemec 2017-10-31 08:23:06 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1507808]

Comment 2 David Tardon 2017-10-31 08:52:23 UTC
At a glance, this should be addressed by https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=6c401a7bdc4e0f5340203b9885e368cb96986aa1 . Is it possible to get a reproducer?

Comment 3 David Tardon 2017-10-31 09:08:24 UTC
The actual commit fixing this is https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 -> no current Fedora is vulnerable.

Comment 4 Huzaifa S. Sidhpurwala 2017-10-31 09:23:45 UTC
As per LibreOffice upstream advisory mentioned in comment 0, this issue is fixed in version 5.0.2, hence only the version shipped with Red Hat Enterprise Linux 6 is vulnerable.


Note You need to log in before you can comment on or make changes to this bug.