RHSA-2015:2619

DSA-3394

http://www.libreoffice.org/about-us/security/advisories/cve-2015-5214/

http://www.openoffice.org/security/cves/CVE-2015-5214.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

77486

1034086

1034091

USN-2793-1

GLSA-201603-05

GLSA-201611-03

The remote host is affected by the vulnerability described in GLSA-201611-03 (LibreOffice, OpenOffice: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in both LibreOffice and       OpenOffice.  Please review the referenced CVE&rsquo;s for specific       information regarding each.
  Impact :

    Remote attackers could obtain sensitive information, cause a Denial of       Service condition, or execute arbitrary code.
  Workaround :

    There is no known work around at this time.

The remote host is affected by the vulnerability described in GLSA-201603-05 (LibreOffice, OpenOffice: Multiple vulnerabilities)

    Multiple vulnerabilities were found in both LibreOffice and OpenOffice       that allow the remote execution of arbitrary code and potential Denial of       Service.  These vulnerabilities may be exploited through multiple vectors       including crafted documents, link handling, printer setup in ODF document       types, DOC file formats, and Calc spreadsheets.  Please review the       referenced CVE&rsquo;s for specific information regarding each.
  Impact :

    A remote attacker could entice a user to open a specially crafted file       using the LibreOffice or OpenOffice suite of software.  Execution of       these attacks could possibly result in the execution of arbitrary code       with the privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known work around at this time.

This update for LibreOffice and some library dependencies (cmis-client, libetonyek, libmwaw, libodfgen, libpagemaker, libreoffice-share-linker, mdds, libwps) fixes the following issues :

Changes in libreoffice :

  - Provide l10n-pt from pt-PT

  - boo#945047 - LO-L3: LO is duplicating master pages,     extended fix

  - boo#951579 - LO-L3: [LibreOffice] Calc 5.0 fails to open     ods files

  - deleted RPATH prevented loading of bundled 3rd party RDF     handler libs

  - Version update to 5.0.4.2 :

  - Final of the 5.0.4 series

  - boo#945047 - LO-L3: LO is duplicating master pages

  - Version update to 5.0.4.1 :

  - rc1 of 5.0.4 with various regression fixes

  - boo#954345 - LO-L3: Insert-->Image-->Insert as Link     hangs writer

  - Version update to 5.0.3.2 :

  - Final tag of 5.0.3 release

  - Fix boo#939996 - LO-L3: Some bits from DOCX file are not     imported

  - Fix boo#889755 - LO-L3: PPTX: chart axis number format     incorrect

  - boo#679938 - LO-L3: saving to doc file the chapter name     in the header does not change with chapters

  - Version update to 5.0.3RC1 as it should fix i586 test     failure

  - Update text2number extension to 1.5.0

  - obsolete libreoffice-mono

  - pentaho-flow-reporting require is conditional on     system_libs

  - Update icon theme dependencies

  - https://lists.debian.org/debian-openoffice/2015/09/msg00343.html

  - Version bump to 5.0.2 final fate#318856 fate#319071     boo#943075 boo#945692 :

  - Small tweaks compared to rc1

  - For sake of completion this release also contains     security fixes for boo#910806 CVE-2014-8147, boo#907636     CVE-2014-9093, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805     CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190     CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423     CVE-2015-4551

  - Use gcc48 to build on sle11sp4

  - Make debuginfo's smaller on IBS.

  - Fix chrpath call after the libs got -lo suffixing

  - Add patch to fix qt4 features detection :

  - kde4filepicker.patch

  - Split out gtk3 UI to separate subpkg that requires gnome     subpkg

  - This is to allow people to test gtk3 while it not being     default

  - Version update to 5.0.2 rc1 :

  - Various small tweaks and integration of our SLE11     patchsets

  - Update constraints to 30 GB on disk

  - Version bump to 5.0.1 rc2 :

  - breeze icons extension

  - Credits update

  - Various small fixes

  - Version bump to 5.0.1 rc1 :

  - Various small fixes

  - Has some commits around screen rendering -> could fix     kde bugs

  - Kill branding-openSUSE, stick to TDF branding.

  - Version bump to 5.0 rc5 :

  - Bunch of final touchups here and there

  - Remove some upstreamed patches :

  - old-cairo.patch

  - Add explicit requires over libmysqlclient_r18, should     cover boo#829430

  - Add patch to build with old cairo (sle11).

  - Version bump to 5.0 rc3 :

  - Various more fixes closing on the 5.0 release

  - Update to 5.0 rc2 :

  - Few small fixes and updates in internal libraries

  - Version bump to 5.0 rc1, remove obsolete patches :

  -     0001-Fix-could-not-convert-.-const-char-to-const-rtl-OUS     t.patch

  - 0001-writerperfect-fix-gcc-4.7-build.patch

  - More chrpat love for sle11

  - Add python-importlib to build/requirements on py2     distros

  - Provide/obsolete crystal icons so they are purged and     not left over

  - Fix breeze icons handling, drop crystal icons.

  - Version bump to 5.0.0.beta3 :

  - Drop merged patch     0001-Make-cpp-poppler-version.h-header-optional.patch

  - Update some internal tarballs so we keep building

  - based on these bumps update the buildrequires too

  - Generate python cache files wrt boo#929793

  - Update %post scriptlets to work on sle11 again

  - Split out the share -> lib linker to hopefully allow     sle11 build

  - One more fix for help handling boo#915996

  - Version bump to 4.4.3 release :

  - Various small fixes all around

  - Disable verbose build to pass check on maximal size of     log

  - We need pre/post for libreoffice in langpkgs

  - Use old java for detection and old commons-lang/codec to     pass brp check on java from sle11

  - 0001-Make-HAVE_JAVA6-be-always-false.patch

  - Revert last changeset, it is caused by something else     this time :

  - 0001-Set-source-and-target-params-for-java.patch

  - Set source/target for javac when building to work on     SLE11 :

  - 0001-Set-source-and-target-params-for-java.patch

  - Try to deal with rpath on bundled libs

  - Fix python3_sitelib not being around for py2

  - Add internal make for too old system

  - One more stab on poppler switch :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Update the old-poppler patch to work correctly :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Sort out more external tarballs for the no-system-libs     approach

  - Add basic external tarballs needed for     without-system-libraries

  - Add patch to check for poppler more nicely to work on     older distros :

  - 0001-Make-cpp-poppler-version.h-header-optional.patch

  - Try to pass configure without system libs

  - Allow switch between py2 and py3

  - Move external dependencies in conditional thus allow     build on SLE11

  - Add conditional for noarch subpackages

  - Add switch in configure to detect more of     internal/external stuff

  - Add conditional for appdatastore thing and redo it to     impact the spec less

  - Add systemlibs switch to be used in attempt to build     sle11 build

  - Silence more scarry messages by boo#900186

  - Fixes autocorr symlinking

  - Cleans UNO cache in more pretty way

  - Clean up the uno cache removal to not display scarry     message boo#900186

  - Remove patch to look for help in /usr/share, we symlink     it back to lib, so there is no actual need to search for     it directly, migth fix boo#915996 :

  - officecfg-help-in-usr-share.diff

  - --disable-collada

  - reportedly it does not work in LibreOffice 4.4

  - added version numbers to some BuildRequires lines

  - Require flow engine too on base

  - Fix build on SLE12 and 13.1 by adding conditional for     appdata install

  - Fixup the installed appdata.xml files: they reference a     .desktop file that are not installed by libreoffice     (boo#926375).

  - Version bump to 4.4.2 :

  - 2nd bugfix update for the 4.4 series

  - BuildRequires: libodfgen-devel >= 0.1

  - added version numbers to some BuildRequires lines

  - build does not require python3-lxml

  - build requires librevenge-devel >= 0.0.1

  - vlc media backend is broken, don't use it. Only     gstreamer should be used.

  - Install the .appdata.xml files shipped by upstream:
    allow LO to be shown in AppStream based software     centers.

  - Move pretrans to pre

  - Version bump to 4.4.1 first bugfix release of the series

  - Reduce bit the compilation preparations as we prepped     most of the things by _constraints and it is no longer     needed

  - %pre is not enough the script needs to be rewritten in     lua

  - Move removal of obsolete dirs from %pretrans to %pre     boo#916181

  - Version bump to 4.4.0 final :

  - First in the 4.4 series

  - First release to have the new UI elements without old     hardcoded sizes

  - Various improvements all around.

  - Version bump to 4.4.0rc2 :

  - Various bugfixes, just bumping to see if we still build     fine.

  - That verbose switch for configure was really really bad     idea

  - generic images.zip for galaxy icons seem gone so remove

  - Do not supplement kde3 stuff, it is way beyond obsolete

  - Remove vlc conditional

  - korea.xcd is no more so remove

  - Really use mergelib

  - Disable telepathy, it really is experimental like hell

  - Version bump to 4.4.0rc1 :

  - New 4.4 branch release with additional features

  - Enable collada :

  - New bundled collada2gltf tarball:
    4b87018f7fff1d054939d19920b751a0-collada2gltf-master-cb1     d97788a.tar.bz2

  - Remove errorous self-obsolete in lang pkgs.

  - Version bump to 4.3.3.2 :

  - Various bugfixes from maintenance branch to copy     openSUSE.

  - Also contains fix for boo#900214 and boo#900218     CVE-2014-3693

  - fix regression in bullets (boo#897903).

  - Add masterpage_style_parent.odp as new file for     regression test for bullets. Changes in cmis-client :

  - Update to version 0.5.0

  + Completely removed the dependency on InMemory server for     unit tests

  + Minimized the number of HTTP requests sent by     SessionFactory::createSession

  + Added Session::getBaseTypes()

  - Bump soname to 0_5-5

  - Bump incname to 0.5

Changes in libetonyek :

  - Version bump to 0.1.3 :

  - Various small fixes

  - More imported now imported

  - Now use mdds to help with some hashing

  - Version bump to 0.1.2 :

  - Initial support for pages and numbers

  - Ditch libetonyek-0.1.1-constants.patch as we do not     require us to build for older boost

Changes in libmwaw :

  - Version bump to 0.3.6 :

  - Added a minimal parser for ApplePict v1.v2, ie. no     clipping, does not take in account the copy mode:
    srcCopy, srcOr, ...

  - Extended the --with-docs configure option to allow to     build doc only for the API classes:
    --with-docs=no|api|full .

  - Added a parser for MacDraft v4-v5 documents.

  - RagTime v5-v6 parser: try to retrieve the main layouts     and the picture/shape/textbox, ie. now, it generates     result but it is still very imcomplete... 

  - MWAW{Graphic,Presentation,Text}Listener: corrected a     problem in openGroup which may create to incorrect     document.

  - Created an MWAWEmbeddedObject class to store a picture     with various representations.

  - MWAW*Listener: renamed insertPicture to insertShape,     added a function to insert a texbox in a     MWAWGraphicShape (which only insert a basic textbox).

  - Fixed many crashes and hangs when importing broken     files, found with the help of american-fuzzy-lop.

  - And several other minor fixes and improvements.

  - Version bump to 0.3.5

  - Various small fixes on 0.3 series, nothing big woth     mention

Changes in libodfgen :

  - Version bump to 0.1.4 :

  - drawing interface: do no forget to call     startDocument/endDocument when writing in the manifest

  - metadata: added handler for 'template' metadata, unknown     metadata are written in a meta:user-defined elements,

  - defineSheetNumberingStyle: can now define styles for the     whole document (and not only for the actual sheet)

  - update doxygen configuration file + add a make astyle     command

  - Allow writing meta:creation-date metadata element for     drawings and presentations too.

  - Improve handling of headings. Most importantly, write     valid ODF.

  - Write meta:generator metadata element.

  - Add initial support for embedded fonts. It is currently     limited to Flat ODF output.

  - Upgrade to version 0.1.2

  - Use text:h element for headings. Any paragraph with     text:outline-level property is recognized as a heading.

  - Handle layers.

  - Improve handling of styles. Particularly, do not emit     duplicate styles.

  - Slightly improve documentation.

  - Handle master pages.

  - Do not expect that integer properties are always in     inches.

  - Fix misspelled style:paragraph-properties element in     presentation notes.

  - Only export public symbols on Linux.

  - Fix bogus XML-escaping of metadata values.

  - And many other improvements and fixes.

Changes in libpagemaker :

  - Initial package based on upstream libpagemaker 0.0.2

Changes in libreoffice-share-linker :

  - Initial commit, split out from main libreoffice package     to workaround issues on SLE11 build Changes in mdds :

  - Update to version 0.12.1 :

  - Various small fixes on 0.12 series

  - Just move define up and comment why we redefine docdir

  - more types are possible in segment_tree data structures     (previously only pointers were possible)

  - added sorted_string_map

  - multi_type_vector bugfixes Changes in libwps :

  - Update to version 0.4.1 :

  + QuattroPro: correct a mistake when reading negative     cell's position.

  + Fix some Windows build problems.

  + Fix more than 10 hangs when reading damaged files, found     with the help of american-fuzzy-lop.

  + Performance: improve the sheet's output generation.

  + add support for unknown encoding files (ie. DOS file)

  + add potential support for converting Lotus, ...
    documents,

  + accept to convert all Lotus Wk1 files and Symphony Wk1     files,

  + add support for Lotus Wk3 and Wk4 documents,

  + add support for Quattro Pro Wq1 and Wq2 documents,

  + only in debug mode, add pre-support for Lotus Wk5...,     must allow to retrieve the main sheets content's with no     formatting,

  + add potential support for asking the document's password     ( but do nothing )

  + correct some compiler warnings when compiling in debug     mode.

  + Fix parsing of floating-point numbers in specific cases.

  + Fix several minor issues reported by Coverity and Clang.

  + Check arguments of public functions. Passing NULL no     longer causes a crash.

  + Use symbol visibility on Linux. The library only exports     the public functions now.

  + Import @TERM and @CTERM functions (fdo#86241).

  + Handle LICS character encoding in spreadsheets     (fdo#87222).

  + Fix a crash when reading a broken file, found with the     help of american-fuzzy-lop.

This update brings LibreOffice to version 5.0.4, a major version update.

It brings lots of new features, bug fixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

  - LibreOffice 5.0 ships an impressive number of new     features for its spreadsheet module, Calc: complex     formulae image cropping, new functions, more powerful     conditional formatting, table addressing and much more.
    Calc's blend of performance and features makes it an     enterprise-ready, heavy duty spreadsheet application     capable of handling all kinds of workload for an     impressive range of use cases

  - New icons, major improvements to menus and sidebar : no     other LibreOffice version has looked that good and     helped you be creative and get things done the right     way. In addition, style management is now more intuitive     thanks to the visualization of styles right in the     interface.

  - LibreOffice 5 ships with numerous improvements to     document import and export filters for MS Office, PDF,     RTF, and more. You can now timestamp PDF documents     generated with LibreOffice and enjoy enhanced document     conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed :

  - CVE-2014-8146: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 did not properly track     directionally isolated pieces of text, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly execute     arbitrary code via crafted text.

  - CVE-2014-8147: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 used an integer data type that     is inconsistent with a header file, which allowed remote     attackers to cause a denial of service (incorrect malloc     followed by invalid free) or possibly execute arbitrary     code via crafted text.

  - CVE-2015-4551: An arbitrary file disclosure     vulnerability in Libreoffice and Openoffice Calc and     Writer was fixed.

  - CVE-2015-5212: A LibreOffice 'PrinterSetup Length'     integer underflow vulnerability could be used by     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5213: A LibreOffice 'Piece Table Counter'     invalid check design error vulnerability allowed     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5214: Multiple Vendor LibreOffice Bookmark     Status Memory Corruption Vulnerability allowed attackers     supplying documents to execute code as the user opening     the document.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibreOffice did not properly restrict automatic link updates. By tricking a victim into opening specially crafted documents, an attacker could possibly use this flaw to disclose contents of files accessible by the victim. (CVE-2015-4551)

An integer underflow flaw leading to a heap-based buffer overflow when parsing PrinterSetup data was discovered. By tricking a user into opening a specially crafted document, an attacker could possibly exploit this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5212)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way LibreOffice processed certain Microsoft Word .doc files. By tricking a user into opening a specially crafted Microsoft Word .doc document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5213)

It was discovered that LibreOffice did not properly sanity check bookmark indexes. By tricking a user into opening a specially crafted document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file.
(CVE-2015-5214)

From Red Hat Security Advisory 2015:2619 :

Updated libreoffice packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.

It was discovered that LibreOffice did not properly restrict automatic link updates. By tricking a victim into opening specially crafted documents, an attacker could possibly use this flaw to disclose contents of files accessible by the victim. (CVE-2015-4551)

An integer underflow flaw leading to a heap-based buffer overflow when parsing PrinterSetup data was discovered. By tricking a user into opening a specially crafted document, an attacker could possibly exploit this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5212)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way LibreOffice processed certain Microsoft Word .doc files. By tricking a user into opening a specially crafted Microsoft Word .doc document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5213)

It was discovered that LibreOffice did not properly sanity check bookmark indexes. By tricking a user into opening a specially crafted document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file.
(CVE-2015-5214)

All libreoffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Updated libreoffice packages that fixes multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.

It was discovered that LibreOffice did not properly restrict automatic link updates. By tricking a victim into opening specially crafted documents, an attacker could possibly use this flaw to disclose contents of files accessible by the victim. (CVE-2015-4551)

An integer underflow flaw leading to a heap-based buffer overflow when parsing PrinterSetup data was discovered. By tricking a user into opening a specially crafted document, an attacker could possibly exploit this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5212)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way LibreOffice processed certain Microsoft Word .doc files. By tricking a user into opening a specially crafted Microsoft Word .doc document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file. (CVE-2015-5213)

It was discovered that LibreOffice did not properly sanity check bookmark indexes. By tricking a user into opening a specially crafted document, an attacker could possibly use this flaw to execute arbitrary code with the privileges of the user opening the file.
(CVE-2015-5214)

All libreoffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.2. It is, therefore, affected by the following vulnerabilities :

  - An overflow condition exists in the Hangul Word     Processor (HWP) filter due to improper validation of     user-supplied input. A remote attacker can exploit this,     via a specially crafted HWP document, to cause a denial     of service condition or the execution of arbitrary code.
    (CVE-2015-1774)

  - An information disclosure vulnerability exists due to     the use of stored LinkUpdateMode configuration     information in OpenDocument Format files and templates     when handling links. A remote attacker can exploit this,     via a specially crafted ODF document, to to obtain     sensitive information. (CVE-2015-4551)

  - An integer underflow condition exists in the     ReadJobSetup() function due to improper validation of     user-supplied input when handling printer settings. A     remote attacker can exploit this, via specially crafted     PrinterSetup data in an ODF document, to cause a denial     of service condition or the execution of arbitrary code.
    (CVE-2015-5212)

  - An integer underflow condition exists in the     WW8ScannerBase::OpenPieceTable() function due to     improper validation of user-supplied input when handling     the PieceTable counter. A remote attacker can exploit     this, via a specially crafted .DOC file, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2015-5213)

  - A memory corruption issue exists in     'filter/ww8/ww8scan.cxx' due to improper validation of     user-supplied input when handling bookmark status     positions. A remote attacker can exploit this, via a     specially crafted document, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-5214)

The version of LibreOffice installed on the remote Mac OS X host is prior to 4.4.6 or 5.x prior to 5.0.1. It is, therefore, affected by a memory corruption issue in 'filter/ww8/ww8scan.cxx' due to improper validation of user-supplied input when handling bookmark status positions. A remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The version of LibreOffice installed on the remote Windows host is prior to 4.4.6 or 5.x prior to 5.0.1. It is, therefore, affected by a memory corruption issue in 'filter/ww8/ww8scan.cxx' due to improper validation of user-supplied input when handling bookmark status positions. A remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition or the execution of arbitrary code.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

Federico Scrinzi discovered that LibreOffice incorrectly handled documents inserted into Writer or Calc via links. If a user were tricked into opening a specially crafted document, a remote attacker could possibly obtain the contents of arbitrary files. (CVE-2015-4551)

It was discovered that LibreOffice incorrectly handled PrinterSetup data stored in ODF files. If a user were tricked into opening a specially crafted ODF document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.
(CVE-2015-5212)

It was discovered that LibreOffice incorrectly handled the number of pieces in DOC files. If a user were tricked into opening a specially crafted DOC document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2015-5213)

It was discovered that LibreOffice incorrectly handled bookmarks in DOC files. If a user were tricked into opening a specially crafted DOC document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2015-5214).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Apache OpenOffice Project reports :

A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings.
Once these files are imported into a maliciously-crafted document, the data can be silently hidden in the document and possibly exported to an external party without being observed. 

The Apache OpenOffice Project reports :

A crafted ODF document can be used to create a buffer that is too small for the amount of data loaded into it, allowing an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.

The Apache OpenOffice Project reports :

A crafted Microsoft Word DOC file can be used to specify a document buffer that is too small for the amount of data provided for it.
Failure to detect the discrepancy allows an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.

The Apache OpenOffice Project reports :

A crafted Microsoft Word DOC can contain invalid bookmark positions leading to memory corruption when the document is loaded or bookmarks are manipulated. The defect allows an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.

Multiple vulnerabilities have been discovered in LibreOffice, a full-featured office productivity :

  - CVE-2015-4551     Federico Scrinzi discovered an information leak in the     handling of ODF documents. Quoting from: The     LinkUpdateMode feature controls whether documents     inserted into Writer or Calc via links will either not     get updated, or prompt to update, or automatically     update, when the parent document is loaded. The     configuration of this option was stored in the document.
    That flawed approach enabled documents to be crafted     with links to plausible targets on the victims host     computer. The contents of those automatically inserted     after load links can be concealed in hidden sections and     retrieved by the attacker if the document is saved and     returned to sender, or via http requests if the user has     selected lower security settings for that document.

  - CVE-2015-5212     A buffer overflow in parsing the printer setup     information in ODF documents may result in the execution     of arbitrary code.

  - CVE-2015-5213 / CVE-2015-5214     A buffer overflow and an integer overflow in parsing     Microsoft Word documents may result in the execution of     arbitrary code.

This update brings LibreOffice to version 5.0.2, a major version update.

It brings lots of new features, bugfixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

  - LibreOffice 5.0 ships an impressive number of new     features for its spreadsheet module, Calc: complex     formulae image cropping, new functions, more powerful     conditional formatting, table addressing and much more.
    Calc's blend of performance and features makes it an     enterprise-ready, heavy duty spreadsheet application     capable of handling all kinds of workload for an     impressive range of use cases

  - New icons, major improvements to menus and sidebar : no     other LibreOffice version has looked that good and     helped you be creative and get things done the right     way. In addition, style management is now more intuitive     thanks to the visualization of styles right in the     interface.

  - LibreOffice 5 ships with numerous improvements to     document import and export filters for MS Office, PDF,     RTF, and more. You can now timestamp PDF documents     generated with LibreOffice and enjoy enhanced document     conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed :

  - CVE-2014-8146: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 did not properly track     directionally isolated pieces of text, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly execute     arbitrary code via crafted text.

  - CVE-2014-8147: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) before 55.1 used an integer data type that     is inconsistent with a header file, which allowed remote     attackers to cause a denial of service (incorrect malloc     followed by invalid free) or possibly execute arbitrary     code via crafted text.

  - CVE-2015-4551: An arbitrary file disclosure     vulnerability in Libreoffice and Openoffice Calc and     Writer was fixed.

  - CVE-2015-1774: The HWP filter in LibreOffice allowed     remote attackers to cause a denial of service (crash) or     possibly execute arbitrary code via a crafted HWP     document, which triggered an out-of-bounds write.

  - CVE-2015-5212: A LibreOffice 'PrinterSetup Length'     integer underflow vulnerability could be used by     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5213: A LibreOffice 'Piece Table Counter'     invalid check design error vulnerability allowed     attackers supplying documents to execute code as the     user opening the document.

  - CVE-2015-5214: Multiple Vendor LibreOffice Bookmark     Status Memory Corruption Vulnerability allowed attackers     supplying documents to execute code as the user opening     the document.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
94594	GLSA-201611-03 : LibreOffice, OpenOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
89811	GLSA-201603-05 : LibreOffice, OpenOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
89016	openSUSE Security Update : LibreOffice and related libraries (openSUSE-2016-273)	Nessus	SuSE Local Security Checks	high
88575	SUSE SLED11 Security Update : Recommended update for LibreOffice (SUSE-SU-2016:0324-1)	Nessus	SuSE Local Security Checks	high
87400	Scientific Linux Security Update : libreoffice on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
87365	Oracle Linux 6 / 7 : libreoffice (ELSA-2015-2619)	Nessus	Oracle Linux Local Security Checks	medium
87358	CentOS 6 / 7 : libreoffice (CESA-2015:2619)	Nessus	CentOS Local Security Checks	medium
87337	RHEL 6 / 7 : libreoffice (RHSA-2015:2619)	Nessus	Red Hat Local Security Checks	medium
86904	Apache OpenOffice < 4.1.2 Multiple Vulnerabilities	Nessus	Windows	high
86903	LibreOffice < 4.4.6 / 5.x < 5.0.1 Document Bookmark Arbitrary Code Execution (Mac OS X)	Nessus	MacOS X Local Security Checks	high
86901	LibreOffice < 4.4.6 / 5.x < 5.0.1 Document Bookmark Arbitrary Code Execution	Nessus	Windows	high
86784	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : libreoffice vulnerabilities (USN-2793-1)	Nessus	Ubuntu Local Security Checks	medium
86775	FreeBSD : OpenOffice 4.1.1 -- multiple vulnerabilities (18b3c61b-83de-11e5-905b-ac9e174be3af)	Nessus	FreeBSD Local Security Checks	medium
86772	Debian DSA-3394-1 : libreoffice - security update	Nessus	Debian Local Security Checks	medium
86757	SUSE SLED12 / SLES12 Security Update : Recommended update for LibreOffice (SUSE-SU-2015:1915-1)	Nessus	SuSE Local Security Checks	high

CVE-2015-5214

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins