LibreOffice before 4.3.5 allows remote attackers to cause a denial of service (invalid write operation and crash) and possibly execute arbitrary code via a crafted RTF file.

The remote host is affected by the vulnerability described in GLSA-201603-05 (LibreOffice, OpenOffice: Multiple vulnerabilities)

    Multiple vulnerabilities were found in both LibreOffice and OpenOffice       that allow the remote execution of arbitrary code and potential Denial of       Service.  These vulnerabilities may be exploited through multiple vectors       including crafted documents, link handling, printer setup in ODF document       types, DOC file formats, and Calc spreadsheets.  Please review the       referenced CVE&rsquo;s for specific information regarding each.
  Impact :

    A remote attacker could entice a user to open a specially crafted file       using the LibreOffice or OpenOffice suite of software.  Execution of       these attacks could possibly result in the execution of arbitrary code       with the privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known work around at this time.

This update for LibreOffice and some library dependencies (cmis-client, libetonyek, libmwaw, libodfgen, libpagemaker, libreoffice-share-linker, mdds, libwps) fixes the following issues :

Changes in libreoffice :

  - Provide l10n-pt from pt-PT

  - boo#945047 - LO-L3: LO is duplicating master pages,     extended fix

  - boo#951579 - LO-L3: [LibreOffice] Calc 5.0 fails to open     ods files

  - deleted RPATH prevented loading of bundled 3rd party RDF     handler libs

  - Version update to 5.0.4.2 :

  - Final of the 5.0.4 series

  - boo#945047 - LO-L3: LO is duplicating master pages

  - Version update to 5.0.4.1 :

  - rc1 of 5.0.4 with various regression fixes

  - boo#954345 - LO-L3: Insert-->Image-->Insert as Link     hangs writer

  - Version update to 5.0.3.2 :

  - Final tag of 5.0.3 release

  - Fix boo#939996 - LO-L3: Some bits from DOCX file are not     imported

  - Fix boo#889755 - LO-L3: PPTX: chart axis number format     incorrect

  - boo#679938 - LO-L3: saving to doc file the chapter name     in the header does not change with chapters

  - Version update to 5.0.3RC1 as it should fix i586 test     failure

  - Update text2number extension to 1.5.0

  - obsolete libreoffice-mono

  - pentaho-flow-reporting require is conditional on     system_libs

  - Update icon theme dependencies

  - https://lists.debian.org/debian-openoffice/2015/09/msg00343.html

  - Version bump to 5.0.2 final fate#318856 fate#319071     boo#943075 boo#945692 :

  - Small tweaks compared to rc1

  - For sake of completion this release also contains     security fixes for boo#910806 CVE-2014-8147, boo#907636     CVE-2014-9093, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-4551

  - Use gcc48 to build on sle11sp4

  - Make debuginfo's smaller on IBS.

  - Fix chrpath call after the libs got -lo suffixing

  - Add patch to fix qt4 features detection :

  - kde4filepicker.patch

  - Split out gtk3 UI to separate subpkg that requires gnome     subpkg

  - This is to allow people to test gtk3 while it not being     default

  - Version update to 5.0.2 rc1 :

  - Various small tweaks and integration of our SLE11     patchsets

  - Update constraints to 30 GB on disk

  - Version bump to 5.0.1 rc2 :

  - breeze icons extension

  - Credits update

  - Various small fixes

  - Version bump to 5.0.1 rc1 :

  - Various small fixes

  - Has some commits around screen rendering -> could fix     kde bugs

  - Kill branding-openSUSE, stick to TDF branding.

  - Version bump to 5.0 rc5 :

  - Bunch of final touchups here and there

  - Remove some upstreamed patches :

  - old-cairo.patch

  - Add explicit requires over libmysqlclient_r18, should     cover boo#829430

  - Add patch to build with old cairo (sle11).

  - Version bump to 5.0 rc3 :

  - Various more fixes closing on the 5.0 release

  - Update to 5.0 rc2 :

  - Few small fixes and updates in internal libraries

  - Version bump to 5.0 rc1, remove obsolete patches :

  -     0001-Fix-could-not-convert-.-const-char-to-const-rtl-OUS     t.patch

  - 0001-writerperfect-fix-gcc-4.7-build.patch

  - More chrpat love for sle11

  - Add python-importlib to build/requirements on py2     distros

  - Provide/obsolete crystal icons so they are purged and     not left over

  - Fix breeze icons handling, drop crystal icons.

  - Version bump to 5.0.0.beta3 :

  - Drop merged patch     0001-Make-cpp-poppler-version.h-header-optional.patch

  - Update some internal tarballs so we keep building

  - based on these bumps update the buildrequires too

  - Generate python cache files wrt boo#929793

  - Update %post scriptlets to work on sle11 again

  - Split out the share -> lib linker to hopefully allow     sle11 build

  - One more fix for help handling boo#915996

  - Version bump to 4.4.3 release :

  - Various small fixes all around

  - Disable verbose build to pass check on maximal size of     log

  - We need pre/post for libreoffice in langpkgs

  - Use old java for detection and old commons-lang/codec to     pass brp check on java from sle11

  - 0001-Make-HAVE_JAVA6-be-always-false.patch

  - Revert last changeset, it is caused by something else     this time :

  - 0001-Set-source-and-target-params-for-java.patch

  - Set source/target for javac when building to work on     SLE11 :

  - 0001-Set-source-and-target-params-for-java.patch

  - Try to deal with rpath on bundled libs

  - Fix python3_sitelib not being around for py2

  - Add internal make for too old system

  - One more stab on poppler switch :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Update the old-poppler patch to work correctly :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Sort out more external tarballs for the no-system-libs     approach

  - Add basic external tarballs needed for     without-system-libraries

  - Add patch to check for poppler more nicely to work on     older distros :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Try to pass configure without system libs

  - Allow switch between py2 and py3

  - Move external dependencies in conditional thus allow     build on SLE11

  - Add conditional for noarch subpackages

  - Add switch in configure to detect more of     internal/external stuff

  - Add conditional for appdatastore thing and redo it to     impact the spec less

  - Add systemlibs switch to be used in attempt to build     sle11 build

  - Silence more scarry messages by boo#900186

  - Fixes autocorr symlinking

  - Cleans UNO cache in more pretty way

  - Clean up the uno cache removal to not display scarry     message boo#900186

  - Remove patch to look for help in /usr/share, we symlink     it back to lib, so there is no actual need to search for     it directly, migth fix boo#915996 :

  - officecfg-help-in-usr-share.diff

  - --disable-collada

  - reportedly it does not work in LibreOffice 4.4

  - added version numbers to some BuildRequires lines

  - Require flow engine too on base

  - Fix build on SLE12 and 13.1 by adding conditional for     appdata install

  - Fixup the installed appdata.xml files: they reference a     .desktop file that are not installed by libreoffice     (boo#926375).

  - Version bump to 4.4.2 :

  - 2nd bugfix update for the 4.4 series

  - BuildRequires: libodfgen-devel >= 0.1

  - added version numbers to some BuildRequires lines

  - build does not require python3-lxml

  - build requires librevenge-devel >= 0.0.1

  - vlc media backend is broken, don't use it. Only     gstreamer should be used.

  - Install the .appdata.xml files shipped by upstream:
    allow LO to be shown in AppStream based software     centers.

  - Move pretrans to pre

  - Version bump to 4.4.1 first bugfix release of the series

  - Reduce bit the compilation preparations as we prepped     most of the things by _constraints and it is no longer     needed

  - %pre is not enough the script needs to be rewritten in     lua

  - Move removal of obsolete dirs from %pretrans to %pre     boo#916181

  - Version bump to 4.4.0 final :

  - First in the 4.4 series

  - First release to have the new UI elements without old     hardcoded sizes

  - Various improvements all around.

  - Version bump to 4.4.0rc2 :

  - Various bugfixes, just bumping to see if we still build     fine.

  - That verbose switch for configure was really really bad     idea

  - generic images.zip for galaxy icons seem gone so remove

  - Do not supplement kde3 stuff, it is way beyond obsolete

  - Remove vlc conditional

  - korea.xcd is no more so remove

  - Really use mergelib

  - Disable telepathy, it really is experimental like hell

  - Version bump to 4.4.0rc1 :

  - New 4.4 branch release with additional features

  - Enable collada :

  - New bundled collada2gltf tarball:
    4b87018f7fff1d054939d19920b751a0-collada2gltf-master-cb1     d97788a.tar.bz2

  - Remove errorous self-obsolete in lang pkgs.

  - Version bump to 4.3.3.2 :

  - Various bugfixes from maintenance branch to copy     openSUSE.

  - Also contains fix for boo#900214 and boo#900218     CVE-2014-3693

  - fix regression in bullets (boo#897903).

  - Add masterpage_style_parent.odp as new file for     regression test for bullets. Changes in cmis-client :

  - Update to version 0.5.0

  + Completely removed the dependency on InMemory server for     unit tests

  + Minimized the number of HTTP requests sent by     SessionFactory::createSession

  + Added Session::getBaseTypes()

  - Bump soname to 0_5-5

  - Bump incname to 0.5

Changes in libetonyek :

  - Version bump to 0.1.3 :

  - Various small fixes

  - More imported now imported

  - Now use mdds to help with some hashing

  - Version bump to 0.1.2 :

  - Initial support for pages and numbers

  - Ditch libetonyek-0.1.1-constants.patch as we do not     require us to build for older boost

Changes in libmwaw :

  - Version bump to 0.3.6 :

  - Added a minimal parser for ApplePict v1.v2, ie. no     clipping, does not take in account the copy mode:
    srcCopy, srcOr, ...

  - Extended the --with-docs configure option to allow to     build doc only for the API classes:
    --with-docs=no|api|full .

  - Added a parser for MacDraft v4-v5 documents.

  - RagTime v5-v6 parser: try to retrieve the main layouts     and the picture/shape/textbox, ie. now, it generates     result but it is still very imcomplete... 

  - MWAW(Graphic,Presentation,Text)Listener: corrected a     problem in openGroup which may create to incorrect     document.

  - Created an MWAWEmbeddedObject class to store a picture     with various representations.

  - MWAW*Listener: renamed insertPicture to insertShape,     added a function to insert a texbox in a     MWAWGraphicShape (which only insert a basic textbox).

  - Fixed many crashes and hangs when importing broken     files, found with the help of american-fuzzy-lop.

  - And several other minor fixes and improvements.

  - Version bump to 0.3.5

  - Various small fixes on 0.3 series, nothing big woth     mention

Changes in libodfgen :

  - Version bump to 0.1.4 :

  - drawing interface: do no forget to call     startDocument/endDocument when writing in the manifest

  - metadata: added handler for 'template' metadata, unknown     metadata are written in a meta:user-defined elements,

  - defineSheetNumberingStyle: can now define styles for the     whole document (and not only for the actual sheet)

  - update doxygen configuration file + add a make astyle     command

  - Allow writing meta:creation-date metadata element for     drawings and presentations too.

  - Improve handling of headings. Most importantly, write     valid ODF.

  - Write meta:generator metadata element.

  - Add initial support for embedded fonts. It is currently     limited to Flat ODF output.

  - Upgrade to version 0.1.2

  - Use text:h element for headings. Any paragraph with     text:outline-level property is recognized as a heading.

  - Handle layers.

  - Improve handling of styles. Particularly, do not emit     duplicate styles.

  - Slightly improve documentation.

  - Handle master pages.

  - Do not expect that integer properties are always in     inches.

  - Fix misspelled style:paragraph-properties element in     presentation notes.

  - Only export public symbols on Linux.

  - Fix bogus XML-escaping of metadata values.

  - And many other improvements and fixes.

Changes in libpagemaker :

  - Initial package based on upstream libpagemaker 0.0.2

Changes in libreoffice-share-linker :

  - Initial commit, split out from main libreoffice package     to workaround issues on SLE11 build Changes in mdds :

  - Update to version 0.12.1 :

  - Various small fixes on 0.12 series

  - Just move define up and comment why we redefine docdir

  - more types are possible in segment_tree data structures     (previously only pointers were possible)

  - added sorted_string_map

  - multi_type_vector bugfixes Changes in libwps :

  - Update to version 0.4.1 :

  + QuattroPro: correct a mistake when reading negative     cell's position.

  + Fix some Windows build problems.

  + Fix more than 10 hangs when reading damaged files, found     with the help of american-fuzzy-lop.

  + Performance: improve the sheet's output generation.

  + add support for unknown encoding files (ie. DOS file)

  + add potential support for converting Lotus, ...
    documents,

  + accept to convert all Lotus Wk1 files and Symphony Wk1     files,

  + add support for Lotus Wk3 and Wk4 documents,

  + add support for Quattro Pro Wq1 and Wq2 documents,

  + only in debug mode, add pre-support for Lotus Wk5...,     must allow to retrieve the main sheets content's with no     formatting,

  + add potential support for asking the document's password     ( but do nothing )

  + correct some compiler warnings when compiling in debug     mode.

  + Fix parsing of floating-point numbers in specific cases.

  + Fix several minor issues reported by Coverity and Clang.

  + Check arguments of public functions. Passing NULL no     longer causes a crash.

  + Use symbol visibility on Linux. The library only exports     the public functions now.

  + Import @TERM and @CTERM functions (fdo#86241).

  + Handle LICS character encoding in spreadsheets     (fdo#87222).

  + Fix a crash when reading a broken file, found with the     help of american-fuzzy-lop.

This update brings LibreOffice to version 5.0.4, a major version update.

It brings lots of new features, bug fixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

  - LibreOffice 5.0 ships an impressive number of new     features for its spreadsheet module, Calc: complex     formulae image cropping, new functions, more powerful     conditional formatting, table addressing and much more.
    Calc's blend of performance and features makes it an     enterprise-ready, heavy duty spreadsheet application     capable of handling all kinds of workload for an     impressive range of use cases

  - New icons, major improvements to menus and sidebar : no     other LibreOffice version has looked that good and     helped you be creative and get things done the right     way. In addition, style management is now more intuitive     thanks to the visualization of styles right in the     interface.

  - LibreOffice 5 ships with numerous improvements to     document import and export filters for MS Office, PDF,     RTF, and more. You can now timestamp PDF documents     generated with LibreOffice and enjoy enhanced document     conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed :

  - CVE-2014-8146: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 did not properly track     directionally isolated pieces of text, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly execute     arbitrary code via crafted text.

  - CVE-2014-8147: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 used an integer data type that     is inconsistent with a header file, which allowed remote     attackers to cause a denial of service (incorrect malloc     followed by invalid free) or possibly execute arbitrary     code via crafted text.

  - CVE-2015-4551: An arbitrary file disclosure     vulnerability in Libreoffice and Openoffice Calc and     Writer was fixed.

  - CVE-2015-5212: A LibreOffice 'PrinterSetup Length'     integer underflow vulnerability could be used by     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5213: A LibreOffice 'Piece Table Counter'     invalid check design error vulnerability allowed     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5214: Multiple Vendor LibreOffice Bookmark     Status Memory Corruption Vulnerability allowed attackers     supplying documents to execute code as the user opening     the document.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This libreoffice update fixes the following security and non security issues :

  - Version bump to 4.3.5 release :

  - Various small fixes

  - Fix for CVE-2014-9093 bnc#907636

  - Remove dangling symlinks from previous versions     bnc#884942

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Alexander Cherepanov discovered that LibreOffice incorrectly handled certain RTF files. If a user were tricked into opening a specially crafted RTF document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2014-9093)

It was discovered that LibreOffice incorrectly handled certain HWP files. If a user were tricked into opening a specially crafted HWP document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2015-1774).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibreOffice, an office productivity suite, could try to write to invalid memory areas when importing malformed RTF files. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted RTF files.

The version of LibreOffice installed on the remote Windows host is prior to 4.2.7 or 4.3.x prior to 4.3.5. It is, therefore, affected by an invalid memory write vulnerability. An attacker, using a specially crafted Rich Text Format (RTF) file, can exploit this to cause a denial of service or possibly execute arbitrary code.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The version of LibreOffice installed on the remote Mac OS X host is prior to 4.2.8 or 4.3.x prior to 4.3.5. It is, therefore, affected by an invalid memory write vulnerability. An attacker, using a specially crafted Rich Text Format (RTF) file, can exploit this to cause a denial of service or possibly execute arbitrary code.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

This libreoffice update fixes the following security and non secuirty issues :

  - Fix for CVE-2014-9093 bnc#907636.

  - Fix typo %(libdir) -> %(_libdir)

  - Remove dangling symlinks from previous versions     bnc#884942.

  - Fix build with boost 1.56

- Fix for various crashes on parsing malformed RTF files

    - Fix interactive table resizing in Impress

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
89811	GLSA-201603-05 : LibreOffice, OpenOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
89016	openSUSE Security Update : LibreOffice and related libraries (openSUSE-2016-273)	Nessus	SuSE Local Security Checks	high
88575	SUSE SLED11 Security Update : Recommended update for LibreOffice (SUSE-SU-2016:0324-1)	Nessus	SuSE Local Security Checks	high
83656	SUSE SLED12 Security Update : libreoffice (SUSE-SU-2014:1729-1)	Nessus	SuSE Local Security Checks	high
83110	Ubuntu 14.04 LTS : LibreOffice vulnerabilities (USN-2578-1)	Nessus	Ubuntu Local Security Checks	critical
81413	Debian DSA-3163-1 : libreoffice - security update	Nessus	Debian Local Security Checks	high
80832	LibreOffice < 4.2.8 / 4.3.5 RTF File Handling Code Execution	Nessus	Windows	high
80830	LibreOffice < 4.2.8 / 4.3.5 RTF File Handling Code Execution (Mac OS X)	Nessus	MacOS X Local Security Checks	high
80301	openSUSE Security Update : libreoffice (openSUSE-SU-2014:1727-1)	Nessus	SuSE Local Security Checks	high
79400	Fedora 20 : libreoffice-4.2.7.2-9.fc20 (2014-15486)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2014-9093

high

Tenable Plugins

high

high

high

high

critical

high

high

high

high

high