Gentoo: GLSA-201408-19: OpenOffice, LibreOffice: Multiple vulnerabilities

    Date31 Aug 2014
    CategoryGentoo
    34
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been found in OpenOffice and LibreOffice, the worst of which may result in execution of arbitrary code.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory                           GLSA 201408-19
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
     Severity: Normal
        Title: OpenOffice, LibreOffice: Multiple vulnerabilities
         Date: August 31, 2014
         Bugs: #283370, #305195, #320491, #332321, #352864, #386081,
               #409509, #429482, #514886
           ID: 201408-19
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    Synopsis
    ========
    
    Multiple vulnerabilities have been found in OpenOffice and LibreOffice,
    the worst of which may result in execution of arbitrary code.
    
    Background
    ==========
    
    OpenOffice is the open source version of StarOffice, a full office
    productivity suite. LibreOffice is a fork of OpenOffice.
    
    Affected packages
    =================
    
        -------------------------------------------------------------------
         Package              /     Vulnerable     /            Unaffected
        -------------------------------------------------------------------
      1  app-office/openoffice-bin
                                     < 3.5.5.3                 >= 3.5.5.3
      2  app-office/openoffice       <= 3.5.5.3                Vulnerable!
      3  app-office/libreoffice      < 4.2.5.2                 >= 4.2.5.2
      4  app-office/libreoffice-bin
                                     < 4.2.5.2                 >= 4.2.5.2
        -------------------------------------------------------------------
         NOTE: Certain packages are still vulnerable. Users should migrate
               to another package if one is available or wait for the
               existing packages to be marked stable by their
               architecture maintainers.
        -------------------------------------------------------------------
         4 affected packages
    
    Description
    ===========
    
    Multiple vulnerabilities have been discovered in OpenOffice and
    Libreoffice. Please review the CVE identifiers referenced below for
    details.
    
    Impact
    ======
    
    A remote attacker could entice a user to open a specially crafted file
    using OpenOffice, possibly resulting in execution of arbitrary code
    with the privileges of the process, a Denial of Service condition,
    execution of arbitrary Python code, authentication bypass, or reading
    and writing of arbitrary files.
    
    Workaround
    ==========
    
    There is no known workaround at this time.
    
    Resolution
    ==========
    
    All OpenOffice (binary) users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot -v ">=app-office/openoffice-bin-3.5.5.3"
    
    All LibreOffice users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-office/libreoffice-4.2.5.2"
    
    All LibreOffice (binary) users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot -v ">=app-office/libreoffice-bin-4.2.5.2"
    
    We recommend that users unmerge OpenOffice:
    
      # emerge --unmerge "app-office/openoffice"
    
    References
    ==========
    
    [  1 ] CVE-2006-4339
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4339
    [  2 ] CVE-2009-0200
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0200
    [  3 ] CVE-2009-0201
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0201
    [  4 ] CVE-2009-0217
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217
    [  5 ] CVE-2009-2949
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2949
    [  6 ] CVE-2009-2950
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2950
    [  7 ] CVE-2009-3301
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3301
    [  8 ] CVE-2009-3302
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3302
    [  9 ] CVE-2010-0395
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0395
    [ 10 ] CVE-2010-2935
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2935
    [ 11 ] CVE-2010-2936
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2936
    [ 12 ] CVE-2010-3450
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3450
    [ 13 ] CVE-2010-3451
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3451
    [ 14 ] CVE-2010-3452
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3452
    [ 15 ] CVE-2010-3453
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3453
    [ 16 ] CVE-2010-3454
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3454
    [ 17 ] CVE-2010-3689
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3689
    [ 18 ] CVE-2010-4253
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4253
    [ 19 ] CVE-2010-4643
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4643
    [ 20 ] CVE-2011-2713
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2713
    [ 21 ] CVE-2012-0037
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0037
    [ 22 ] CVE-2012-1149
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1149
    [ 23 ] CVE-2012-2149
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2149
    [ 24 ] CVE-2012-2334
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2334
    [ 25 ] CVE-2012-2665
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2665
    [ 26 ] CVE-2014-0247
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0247
    
    Availability
    ============
    
    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:
    
     http://security.gentoo.org/glsa/glsa-201408-19.xml
    
    Concerns?
    =========
    
    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    	 or alternatively, you may file a bug at
    https://bugs.gentoo.org.
    
    License
    =======
    
    Copyright 2014 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).
    
    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.
    
    http://creativecommons.org/licenses/by-sa/2.5
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"37","type":"x","order":"1","pct":51.39,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.89,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.72,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.