Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 519
Alerts This Week
Warning Icon 1 519

Red Hat 7 RHSA-2015:0377-01 Moderate: LibreOffice Execution Threat

red hat
Calendar Grey March 5, 2015
Dist Redhat Esm H88
The recent Red Hat advisory categorizes updates for LibreOffice, addressing bug resolutions, performance improvements, and three security vulnerabilities impacting Linux 7 users.
Updated libreoffice packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.
It was found that LibreOffice documents executed macros unconditionally, without user approval, when these documents were opened using LibreOffice. An attacker could use this flaw to execute arbitrary code as the user running LibreOffice by embedding malicious VBA scripts in the document as macros. (CVE-2014-0247)
A flaw was found in the OLE (Object Linking and Embedding) generation in LibreOffice. An attacker could use this flaw to embed malicious OLE code in a LibreOffice document, allowing for arbitrary code execution. (CVE-2014-3575)
A use-after-free flaw was found in the "Remote Control" capabilities of the LibreOffice Impress application. An attacker could use this flaw to remotely execute code with the permissions of the user running LibreOffice Impress. (CVE-2014-3693)
The libreoffice packages have been upgraded to upstream version 4.2.6.3, which provides a number of bug fixes and enhancements over the previous version. Among others:
* Improved OpenXML interoperability.
* Additional statistic functions in Calc (for interoperability with Excel and Excel's Add-in "Analysis ToolPak").
* Various performance improvements in Calc.
* Apple Keynote and Abiword import.
* Improved MathML export.
* New Start screen with thumbnails of recently opened documents.
* Visual clue in Slide Sorter when a slide has a transition or an animation.
* Improvements for trend lines in charts.
* Support for BCP-47 language tags. (BZ#1119709)
All libreoffice users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

References

https://access.redhat.com/security/cve/CVE-2014-0247 https://access.redhat.com/security/cve/CVE-2014-3575 https://access.redhat.com/security/cve/CVE-2014-3693 https://access.redhat.com/security/updates/classification#moderate https://wiki.documentfoundation.org/ReleaseNotes/4.2

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: libabw-0.0.2-1.el7.src.rpm libcmis-0.4.1-5.el7.src.rpm libetonyek-0.0.4-2.el7.src.rpm libfreehand-0.0.0-3.el7.src.rpm liblangtag-0.5.4-8.el7.src.rpm libmwaw-0.2.0-4.el7.src.rpm libodfgen-0.0.4-1.el7.src.rpm libreoffice-4.2.6.3-5.el7.src.rpm
noarch: autocorr-af-4.2.6.3-5.el7.noarch.rpm autocorr-bg-4.2.6.3-5.el7.noarch.rpm autocorr-ca-4.2.6.3-5.el7.noarch.rpm autocorr-cs-4.2.6.3-5.el7.noarch.rpm autocorr-da-4.2.6.3-5.el7.noarch.rpm autocorr-de-4.2.6.3-5.el7.noarch.rpm autocorr-en-4.2.6.3-5.el7.noarch.rpm autocorr-es-4.2.6.3-5.el7.noarch.rpm autocorr-fa-4.2.6.3-5.el7.noarch.rpm autocorr-fi-4.2.6.3-5.el7.noarch.rpm autocorr-fr-4.2.6.3-5.el7.noarch.rpm autocorr-ga-4.2.6.3-5.el7.noarch.rpm autocorr-hr-4.2.6.3-5.el7.noarch.rpm autocorr-hu-4.2.6.3-5.el7.noarch.rpm autocorr-is-4.2.6.3-5.el7.noarch.rpm autocorr-it-4.2.6.3-5.el7.noarch.rpm autocorr-ja-4.2.6.3-5.el7.noarch.rpm autocorr-ko-4.2.6.3-5.el7.noarch.rpm autocorr-lb-4.2.6.3-5.el7.noarch.rpm autocorr-lt-4.2.6.3-5.el7.noarch.rpm autocorr-mn-4.2.6.3-5.el7.noarch.rpm autocorr-nl-4.2.6.3-5.el7.noarch.rpm autocorr-pl-4.2.6.3-5.el7.noarch.rpm autocorr-pt-4.2.6.3-5.el7.noarch.rpm autocorr-ro-4.2.6.3-5.el7.noarch.rpm autocorr-ru-4.2.6.3-5.el7.noarch.rpm

Read the Full Advisory


Advisory ID: RHSA-2015:0377-01
Product: Red Hat Enterprise Linux
Issue date: 2015-03-05

Topic

Updated libreoffice packages that fix three security issues, several bugs,and add various enhancements are now available for Red Hat EnterpriseLinux 7.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

Bugs Fixed

1065807 - [fix available] Usability - libreoffice does not search XDG defined "Templates" directory

1096295 - [fix available] Highlighting the currently selected slide vs the currently viewed slide is hard in impress

1111083 - CVE-2014-0247 libreoffice: VBA macros executed unconditionally

1111216 - [fix available] LibreOffice Calc: PDF export of an empty document fails with Write Error

1117853 - [fix available] impress killed by SIGABRT on paste into outline view at a position where the slide has no title object

1119709 - Rebase to latest stable LibreOffice 4.2.X in RHEL-7.1

1132065 - rebase libcmis to 0.4.1

1132069 - rebase mdds to 0.10.3

1132070 - rebase libmwaw to 0.2.0

1132072 - rebase libodfgen to 0.0.4

1132077 - rebase liblangtag to 0.5.4

1138882 - CVE-2014-3575 openoffice: Arbitrary file disclosure via crafted OLE objects

1164733 - CVE-2014-3693 libreoffice: Use-After-Free in socket manager of Impress Remote

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.