The version of LibreOffice installed on the remote Windows host is prior to 5.1.4. It is, therefore, affected by a use-after-free error during Rich Text Format (RTF) file parsing due to improper validation of the RTF character style index. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted RTF file, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security fix for CVE-2016-4324

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Talos reports :

An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application.

LibreOffice was updated to version 5.1.5.2, bringing enhancements and bug fixes.

  - CVE-2016-4324: Parsing the Rich Text Format character     style index was insufficiently checked for validity.
    Documents could be constructed which dereference an     iterator to the first entry of an empty STL container.
    (bsc#987553)

  - Don't use 'nullable' for introspection, as it isn't     available on SLE 12's version of gobject-introspection.
    This prevents a segmentation fault in gnome-documents.
    (bsc#1000102)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

LibreOffice was updated to version 5.1.5.2, bringing enhancements and bug fixes.

  - CVE-2016-4324: Parsing the Rich Text Format character     style index was insufficiently checked for validity.
    Documents could be constructed which dereference an     iterator to the first entry of an empty STL container.
    (bsc#987553)

  - Don't use 'nullable' for introspection, as it isn't     available on SLE 12's version of gobject-introspection.
    This prevents a segmentation fault in gnome-documents.
    (bsc#1000102)

This update was imported from the SUSE:SLE-12:Update update project.

Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened.

The version of LibreOffice installed on the remote macOS or Mac OS X host is prior to 5.1.4. It is, therefore, affected by a use-after-free error due to improper handling of the character style index when parsing RTF files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted RTF file, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201611-03 (LibreOffice, OpenOffice: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in both LibreOffice and       OpenOffice.  Please review the referenced CVE&rsquo;s for specific       information regarding each.
  Impact :

    Remote attackers could obtain sensitive information, cause a Denial of       Service condition, or execute arbitrary code.
  Workaround :

    There is no known work around at this time.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3022-1 advisory.

    It was discovered that LibreOffice incorrectly handled RTF document files. If a user were tricked into     opening a specially crafted RTF document, a remote attacker could cause LibreOffice to crash, and possibly     execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened.

For Debian 7 'Wheezy', these problems have been fixed in version 1:3.5.4+dfsg2-0+deb7u7.

We recommend that you upgrade your libreoffice packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
91974	LibreOffice < 5.1.4 RTF Character Style Index RCE	Nessus	Windows	7/8/2016	11/19/2019	high
92302	Fedora 23 : 1:libreoffice (2016-f0552e1341)	Nessus	Fedora Local Security Checks	7/15/2016	2/2/2026	high
92340	FreeBSD : libreoffice -- use-after-free vulnerability (3159cd70-4aaa-11e6-a7bd-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	7/18/2016	2/2/2026	high
93910	SUSE SLED12 Security Update : libreoffice (SUSE-SU-2016:2472-1)	Nessus	SuSE Local Security Checks	10/7/2016	1/22/2026	high
94088	openSUSE Security Update : libreoffice (openSUSE-2016-1192)	Nessus	SuSE Local Security Checks	10/17/2016	1/21/2026	high
91891	Debian DSA-3608-1 : libreoffice - security update	Nessus	Debian Local Security Checks	6/30/2016	1/11/2021	high
91975	LibreOffice < 5.1.4 RTF Character Style Index RCE (macOS)	Nessus	MacOS X Local Security Checks	7/8/2016	11/14/2019	high
94594	GLSA-201611-03 : LibreOffice, OpenOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	11/7/2016	1/20/2026	high
91893	Ubuntu 16.04 LTS : LibreOffice vulnerability (USN-3022-1)	Nessus	Ubuntu Local Security Checks	6/30/2016	8/27/2024	high
92704	Debian DLA-581-1 : libreoffice security update	Nessus	Debian Local Security Checks	8/4/2016	1/29/2026	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high