Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201209-05 ] LibreOffice: Multiple vulnerabilities
Date: Mon, 24 Sep 2012 11:02:26
Message-Id: 50603BF3.2050304@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201209-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: LibreOffice: Multiple vulnerabilities
9 Date: September 24, 2012
10 Bugs: #386081, #409455, #416457, #429482
11 ID: 201209-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in LibreOffice, allowing
19 remote attackers to execute arbitrary code or cause a Denial of
20 Service.
21
22 Background
23 ==========
24
25 LibreOffice is a full office productivity suite.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 app-office/libreoffice < 3.5.5.3 >= 3.5.5.3
34 2 app-office/libreoffice-bin
35 < 3.5.5.3 >= 3.5.5.3
36 -------------------------------------------------------------------
37 2 affected packages
38
39 Description
40 ===========
41
42 Multiple vulnerabilities have been found in LibreOffice:
43
44 * The Microsoft Word Document parser contains an out-of-bounds read
45 error (CVE-2011-2713).
46 * The Raptor RDF parser contains an XML External Entity expansion error
47 (CVE-2012-0037).
48 * The graphic loading parser contains an integer overflow error which
49 could cause a heap-based buffer overflow (CVE-2012-1149).
50 * Multiple errors in the XML manifest handling code could cause a
51 heap-based buffer overflow (CVE-2012-2665).
52
53 Impact
54 ======
55
56 A remote attacker could entice a user to open a specially crafted
57 document file using LibreOffice, possibly resulting in execution of
58 arbitrary code with the privileges of the process or a Denial of
59 Service condition.
60
61 Workaround
62 ==========
63
64 There is no known workaround at this time.
65
66 Resolution
67 ==========
68
69 All LibreOffice users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=app-office/libreoffice-3.5.5.3"
73
74 All users of the LibreOffice binary package should upgrade to the
75 latest version:
76
77 # emerge --sync
78 # emerge --ask --oneshot -v ">=app-office/libreoffice-bin-3.5.5.3"
79
80 References
81 ==========
82
83 [ 1 ] CVE-2011-2713
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2713
85 [ 2 ] CVE-2012-0037
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0037
87 [ 3 ] CVE-2012-1149
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1149
89 [ 4 ] CVE-2012-2665
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2665
91
92 Availability
93 ============
94
95 This GLSA and any updates to it are available for viewing at
96 the Gentoo Security Website:
97
98 http://security.gentoo.org/glsa/glsa-201209-05.xml
99
100 Concerns?
101 =========
102
103 Security is a primary focus of Gentoo Linux and ensuring the
104 confidentiality and security of our users' machines is of utmost
105 importance to us. Any security concerns should be addressed to
106 security@g.o or alternatively, you may file a bug at
107 https://bugs.gentoo.org.
108
109 License
110 =======
111
112 Copyright 2012 Gentoo Foundation, Inc; referenced text
113 belongs to its owner(s).
114
115 The contents of this document are licensed under the
116 Creative Commons - Attribution / Share Alike license.
117
118 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature