SUSE SLED12 / SLES12 Security Update : Recommended update for LibreOffice (SUSE-SU-2015:1915-1)

high Nessus Plugin ID 86757
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update brings LibreOffice to version 5.0.2, a major version update.

It brings lots of new features, bugfixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

- LibreOffice 5.0 ships an impressive number of new features for its spreadsheet module, Calc: complex formulae image cropping, new functions, more powerful conditional formatting, table addressing and much more.
Calc's blend of performance and features makes it an enterprise-ready, heavy duty spreadsheet application capable of handling all kinds of workload for an impressive range of use cases

- New icons, major improvements to menus and sidebar : no other LibreOffice version has looked that good and helped you be creative and get things done the right way. In addition, style management is now more intuitive thanks to the visualization of styles right in the interface.

- LibreOffice 5 ships with numerous improvements to document import and export filters for MS Office, PDF, RTF, and more. You can now timestamp PDF documents generated with LibreOffice and enjoy enhanced document conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed :

- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.

- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.

- CVE-2015-4551: An arbitrary file disclosure vulnerability in Libreoffice and Openoffice Calc and Writer was fixed.

- CVE-2015-1774: The HWP filter in LibreOffice allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggered an out-of-bounds write.

- CVE-2015-5212: A LibreOffice 'PrinterSetup Length' integer underflow vulnerability could be used by attackers supplying documents to execute code as the user opening the document.

- CVE-2015-5213: A LibreOffice 'Piece Table Counter' invalid check design error vulnerability allowed attackers supplying documents to execute code as the user opening the document.

- CVE-2015-5214: Multiple Vendor LibreOffice Bookmark Status Memory Corruption Vulnerability allowed attackers supplying documents to execute code as the user opening the document.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12 :

zypper in -t patch SUSE-SLE-WE-12-2015-797=1

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2015-797=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2015-797=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-797=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://www.libreoffice.org/discover/new-features/

https://bugzilla.suse.com/show_bug.cgi?id=470073

https://bugzilla.suse.com/show_bug.cgi?id=806250

https://bugzilla.suse.com/show_bug.cgi?id=829430

https://bugzilla.suse.com/show_bug.cgi?id=890735

https://bugzilla.suse.com/show_bug.cgi?id=900186

https://bugzilla.suse.com/show_bug.cgi?id=900877

https://bugzilla.suse.com/show_bug.cgi?id=907966

https://bugzilla.suse.com/show_bug.cgi?id=910805

https://bugzilla.suse.com/show_bug.cgi?id=910806

https://bugzilla.suse.com/show_bug.cgi?id=913042

https://bugzilla.suse.com/show_bug.cgi?id=914911

https://bugzilla.suse.com/show_bug.cgi?id=915996

https://bugzilla.suse.com/show_bug.cgi?id=916181

https://bugzilla.suse.com/show_bug.cgi?id=918852

https://bugzilla.suse.com/show_bug.cgi?id=919409

https://bugzilla.suse.com/show_bug.cgi?id=926375

https://bugzilla.suse.com/show_bug.cgi?id=929793

https://bugzilla.suse.com/show_bug.cgi?id=934423

https://bugzilla.suse.com/show_bug.cgi?id=936188

https://bugzilla.suse.com/show_bug.cgi?id=936190

https://bugzilla.suse.com/show_bug.cgi?id=940838

https://bugzilla.suse.com/show_bug.cgi?id=943075

https://bugzilla.suse.com/show_bug.cgi?id=945692

https://www.suse.com/security/cve/CVE-2014-8146/

https://www.suse.com/security/cve/CVE-2014-8147/

https://www.suse.com/security/cve/CVE-2015-1774/

https://www.suse.com/security/cve/CVE-2015-4551/

https://www.suse.com/security/cve/CVE-2015-5212/

https://www.suse.com/security/cve/CVE-2015-5213/

https://www.suse.com/security/cve/CVE-2015-5214/

http://www.nessus.org/u?dd02c58f

Plugin Details

Severity: High

ID: 86757

File Name: suse_SU-2015-1915-1.nasl

Version: 2.14

Type: local

Agent: unix

Published: 11/5/2015

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:cmis-client-debuginfo, p-cpe:/a:novell:suse_linux:cmis-client-debugsource, p-cpe:/a:novell:suse_linux:graphite2-debuginfo, p-cpe:/a:novell:suse_linux:graphite2-debugsource, p-cpe:/a:novell:suse_linux:hyphen-debugsource, p-cpe:/a:novell:suse_linux:libabw-0_1, p-cpe:/a:novell:suse_linux:libabw-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libabw-debugsource, p-cpe:/a:novell:suse_linux:libcdr-0_1, p-cpe:/a:novell:suse_linux:libcdr-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libcdr-debugsource, p-cpe:/a:novell:suse_linux:libcmis-0_5, p-cpe:/a:novell:suse_linux:libcmis-0_5-5-debuginfo, p-cpe:/a:novell:suse_linux:libe-book-0_1, p-cpe:/a:novell:suse_linux:libe-book-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libe-book-debugsource, p-cpe:/a:novell:suse_linux:libetonyek-0_1, p-cpe:/a:novell:suse_linux:libetonyek-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libetonyek-debugsource, p-cpe:/a:novell:suse_linux:libfreehand-0_1, p-cpe:/a:novell:suse_linux:libfreehand-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libfreehand-debugsource, p-cpe:/a:novell:suse_linux:libgltf-0_0, p-cpe:/a:novell:suse_linux:libgltf-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:libgltf-debugsource, p-cpe:/a:novell:suse_linux:libgraphite2, p-cpe:/a:novell:suse_linux:libgraphite2-3, p-cpe:/a:novell:suse_linux:libgraphite2-3-debuginfo, p-cpe:/a:novell:suse_linux:libhyphen0, p-cpe:/a:novell:suse_linux:libhyphen0-debuginfo, p-cpe:/a:novell:suse_linux:libixion-0_10, p-cpe:/a:novell:suse_linux:libixion-0_10-0-debuginfo, p-cpe:/a:novell:suse_linux:libixion-debugsource, p-cpe:/a:novell:suse_linux:liblangtag-debugsource, p-cpe:/a:novell:suse_linux:liblangtag1, p-cpe:/a:novell:suse_linux:liblangtag1-debuginfo, p-cpe:/a:novell:suse_linux:libmspub-0_1, p-cpe:/a:novell:suse_linux:libmspub-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libmspub-debugsource, p-cpe:/a:novell:suse_linux:libmwaw-0_3, p-cpe:/a:novell:suse_linux:libmwaw-0_3-3-debuginfo, p-cpe:/a:novell:suse_linux:libmwaw-debugsource, p-cpe:/a:novell:suse_linux:libodfgen-0_1, p-cpe:/a:novell:suse_linux:libodfgen-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libodfgen-debugsource, p-cpe:/a:novell:suse_linux:liborcus-0_8, p-cpe:/a:novell:suse_linux:liborcus-0_8-0-debuginfo, p-cpe:/a:novell:suse_linux:liborcus-debugsource, p-cpe:/a:novell:suse_linux:libpagemaker-0_0, p-cpe:/a:novell:suse_linux:libpagemaker-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:libpagemaker-debugsource, p-cpe:/a:novell:suse_linux:libreoffice, p-cpe:/a:novell:suse_linux:libreoffice-base, p-cpe:/a:novell:suse_linux:libreoffice-base-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-calc, p-cpe:/a:novell:suse_linux:libreoffice-calc-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-calc-extensions, p-cpe:/a:novell:suse_linux:libreoffice-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-debugsource, p-cpe:/a:novell:suse_linux:libreoffice-draw, p-cpe:/a:novell:suse_linux:libreoffice-draw-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-filters-optional, p-cpe:/a:novell:suse_linux:libreoffice-gnome, p-cpe:/a:novell:suse_linux:libreoffice-gnome-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-impress, p-cpe:/a:novell:suse_linux:libreoffice-impress-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-mailmerge, p-cpe:/a:novell:suse_linux:libreoffice-math, p-cpe:/a:novell:suse_linux:libreoffice-math-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-officebean, p-cpe:/a:novell:suse_linux:libreoffice-officebean-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-pyuno, p-cpe:/a:novell:suse_linux:libreoffice-pyuno-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-voikko, p-cpe:/a:novell:suse_linux:libreoffice-voikko-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-writer, p-cpe:/a:novell:suse_linux:libreoffice-writer-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-writer-extensions, p-cpe:/a:novell:suse_linux:librevenge-0_0, p-cpe:/a:novell:suse_linux:librevenge-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:librevenge-debugsource, p-cpe:/a:novell:suse_linux:librevenge-stream-0_0, p-cpe:/a:novell:suse_linux:librevenge-stream-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:libvisio-0_1, p-cpe:/a:novell:suse_linux:libvisio-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libvisio-debugsource, p-cpe:/a:novell:suse_linux:libvoikko-debugsource, p-cpe:/a:novell:suse_linux:libvoikko1, p-cpe:/a:novell:suse_linux:libvoikko1-debuginfo, p-cpe:/a:novell:suse_linux:libwps-0_4, p-cpe:/a:novell:suse_linux:libwps-0_4-4-debuginfo, p-cpe:/a:novell:suse_linux:libwps-debugsource, p-cpe:/a:novell:suse_linux:myspell-dictionaries, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/9/2015

Vulnerability Publication Date: 4/28/2015

Reference Information

CVE: CVE-2014-8146, CVE-2014-8147, CVE-2015-1774, CVE-2015-4551, CVE-2015-5212, CVE-2015-5213, CVE-2015-5214

BID: 74338, 74457