SUSE SLED11 Security Update : Recommended update for LibreOffice (SUSE-SU-2016:0324-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update brings LibreOffice to version 5.0.4, a major version
update.

It brings lots of new features, bug fixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

- LibreOffice 5.0 ships an impressive number of new
features for its spreadsheet module, Calc: complex
formulae image cropping, new functions, more powerful
conditional formatting, table addressing and much more.
Calc's blend of performance and features makes it an
enterprise-ready, heavy duty spreadsheet application
capable of handling all kinds of workload for an
impressive range of use cases

- New icons, major improvements to menus and sidebar : no
other LibreOffice version has looked that good and
helped you be creative and get things done the right
way. In addition, style management is now more intuitive
thanks to the visualization of styles right in the
interface.

- LibreOffice 5 ships with numerous improvements to
document import and export filters for MS Office, PDF,
RTF, and more. You can now timestamp PDF documents
generated with LibreOffice and enjoy enhanced document
conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed :

- CVE-2014-8146: The resolveImplicitLevels function in
common/ubidi.c in the Unicode Bidirectional Algorithm
implementation in ICU4C in International Components for
Unicode (ICU) before 55.1 did not properly track
directionally isolated pieces of text, which allowed
remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly execute
arbitrary code via crafted text.

- CVE-2014-8147: The resolveImplicitLevels function in
common/ubidi.c in the Unicode Bidirectional Algorithm
implementation in ICU4C in International Components for
Unicode (ICU) before 55.1 used an integer data type that
is inconsistent with a header file, which allowed remote
attackers to cause a denial of service (incorrect malloc
followed by invalid free) or possibly execute arbitrary
code via crafted text.

- CVE-2015-4551: An arbitrary file disclosure
vulnerability in Libreoffice and Openoffice Calc and
Writer was fixed.

- CVE-2015-5212: A LibreOffice 'PrinterSetup Length'
integer underflow vulnerability could be used by
attackers supplying documents to execute code as the
user opening the document.

- CVE-2015-5213: A LibreOffice 'Piece Table Counter'
invalid check design error vulnerability allowed
attackers supplying documents to execute code as the
user opening the document.

- CVE-2015-5214: Multiple Vendor LibreOffice Bookmark
Status Memory Corruption Vulnerability allowed attackers
supplying documents to execute code as the user opening
the document.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.libreoffice.org/discover/new-features/
https://bugzilla.suse.com/306333
https://bugzilla.suse.com/547549
https://bugzilla.suse.com/668145
https://bugzilla.suse.com/679938
https://bugzilla.suse.com/681560
https://bugzilla.suse.com/688200
https://bugzilla.suse.com/718113
https://bugzilla.suse.com/806250
https://bugzilla.suse.com/857026
https://bugzilla.suse.com/889755
https://bugzilla.suse.com/890735
https://bugzilla.suse.com/907636
https://bugzilla.suse.com/907966
https://bugzilla.suse.com/910805
https://bugzilla.suse.com/910806
https://bugzilla.suse.com/914911
https://bugzilla.suse.com/934423
https://bugzilla.suse.com/936188
https://bugzilla.suse.com/936190
https://bugzilla.suse.com/939996
https://bugzilla.suse.com/940838
https://bugzilla.suse.com/943075
https://bugzilla.suse.com/945047
https://bugzilla.suse.com/945692
https://bugzilla.suse.com/951579
https://bugzilla.suse.com/954345
https://www.suse.com/security/cve/CVE-2014-8146.html
https://www.suse.com/security/cve/CVE-2014-8147.html
https://www.suse.com/security/cve/CVE-2014-9093.html
https://www.suse.com/security/cve/CVE-2015-4551.html
https://www.suse.com/security/cve/CVE-2015-5212.html
https://www.suse.com/security/cve/CVE-2015-5213.html
https://www.suse.com/security/cve/CVE-2015-5214.html
http://www.nessus.org/u?6cb3ddc7

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4 :

zypper in -t patch sdksp4-libreoffice-504-1174=1

SUSE Linux Enterprise Desktop 11-SP4 :

zypper in -t patch sledsp4-libreoffice-504-1174=1

SUSE Linux Enterprise Debuginfo 11-SP4 :

zypper in -t patch dbgsp4-libreoffice-504-1174=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 88575 ()

Bugtraq ID: 71313
74457

CVE ID: CVE-2014-8146
CVE-2014-8147
CVE-2014-9093
CVE-2015-4551
CVE-2015-5212
CVE-2015-5213
CVE-2015-5214

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now