-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2012-05 * Released on: 6 August 2012 * Last updated on: 27 August 2012 * Affected product: LibreOffice < 3.5.5 Apache OpenOffice < 3.4.1 * Impact: code execution * Origin: encrypted office files * CVSS Base Score: 9.3 Impact Subscore: 10 Exploitability Subscore: 8.6 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-2665 Summary - ------- Multiple issues have been identified in LibreOffice / OpenOffice that allow to execute arbitrary code via specially crafted office files. Elements outside expected parent elements ----------------------------------------- Initially, the aSequence attribute of a ManifestImport instance has no memory allocated for PropertyValue elements. ManifestImport::startElement() (re)allocates memory when a "manifest:file-entry" XML element is encountered in the manifest file. The property values are, for example, accessed when a "manifest:encryption-data" XML element is found. If such elements are located outside an expected parent element "manifest:file-entry", ManifestImport::startElement() accesses aSequence out-of-bounds. Writes beyond fixed size buffer ------------------------------- ManifestImport::startElement() allocates memory for 12 (= PKG_SIZE_ENCR_MNFST) PropertValue elements. If a "manifest:file-entry" XML element has child elements that cause startElement() to access more than 12 PropertValues, startElement() accesses aSequence out-of-bounds. Base64Codec::decodeBase64() --------------------------- ManifestImport::startElement() calls Base64Codec::decodeBase64() to decode the XML attributes for checksums, initialization vectors, and salt values. Base64Codec::decodeBase64() implicitly assumes that the source buffer sBuffer contains a number of characters divisible by 4. If this is not the case, the called method FourByteToThreeByte() writes up to 3 bytes past a buffer allocated on the heap. Solution - -------- The issue has been fixed in LibreOffice 3.5.5 and Apache OpenOffice 3.4.1. References - ---------- http://www.libreoffice.org/advisories/CVE-2012-2665/ https://bugzilla.redhat.com/show_bug.cgi?id=826077 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-05.txt ChangeLog - --------- * 27 Aug 2012 - Apache OpenOffice 3.4.1, which fixes the vulnerabilities, was released on 23 August 2012. Contact - -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQEcBAEBCAAGBQJQOzOoAAoJEI9qFXJ0Ecg6tc0H/3RK2NYP3KvAeJw1rjnOlJ7Q w9ahFk6AkuwH8LUx682FPNNSqN3+yqoNnEA6XI7MVHIg07ZhvLncg7QTmIUA9ms0 oQrb0EZEGNeXH+PSn4lf7D+cXzE7nh2P+YtCmOk3kTixJfHPR8mr7kBmQH3xWehf kaSaXQBC8wm/L1fhNl8WEnDCMHbn2274IlEa5+IjWD/a+r9qveW28KxgJqGzlmuh Fm2CmwGAPthSlPha2L+9j9KCPdsQ+shWZhUZJ32BoYNs8ik90X+b6mEqh7IzJNpZ 2Fphuj4Tx2cmBEcwgnyYV+fEHoAnfm6GyHAqmOk5j/NHMhbQENr9TT/Vum7VAF8= =Y+RR -----END PGP SIGNATURE-----