Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 1 Jan 2018 11:35:46 +0100
From: Andrea Pescetti <pescetti@...che.org>
Cc: oss-security@...ts.openwall.com
Subject: Apache OpenOffice 4.1.4 - fixes CVE-2017-3157 CVE-2017-9806
 CVE-2017-12607 CVE-2017-12608

(I'm not subscribed to the list, so please CC me when replying, thanks)

Apache OpenOffice 4.1.5 was released on 30 Dec 2017.

- No security vulnerabilities fixed in this release; listed here just to 
avoid confusion.

Apache OpenOffice 4.1.4 was released on 19 Oct 2017.

- This release contained 4 security fixes that had not been reported to 
this list at release time; they are listed below.


## 1. CVE-2017-3157: Arbitrary file disclosure in Calc and Writer

By exploiting the way OpenOffice renders embedded objects, an attacker 
could craft a document that allows reading in a file from the user's 
filesystem. Information could be retrieved by the attacker by, e.g., 
using hidden sections to store the information, tricking the user into 
saving the document and convincing the user to send the document back to 
the attacker.

The vulnerability is mitigated by the need for the attacker to know the 
precise file path in the target system, and the need to trick the user 
into saving the document and sending it back.

Thanks to Ben Hayak for reporting this issue.


## 2. CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor

A vulnerability in the OpenOffice Writer DOC file parser, and 
specifically in the WW8Fonts Constructor, allows attackers to craft 
malicious documents that cause denial of service (memory corruption and 
application crash) potentially resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


## 3. CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter

A vulnerability in OpenOffice's PPT file parser, and specifically in 
PPTStyleSheet, allows attackers to craft malicious documents that cause 
denial of service (memory corruption and application crash) potentially 
resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


## 4. CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles

A vulnerability in OpenOffice Writer DOC file parser, and specifically 
in ImportOldFormatStyles, allows attackers to craft malicious documents 
that cause denial of service (memory corruption and application crash) 
potentially resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


See https://www.openoffice.org/security/bulletin.html for more information.

Posted by Andrea Pescetti on behalf of the Apache OpenOffice Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.