lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Aug 2012 09:58:01 +0200
From: Timo Warns <>
Subject: [PRE-SA-2012-05] Multiple heap-based buffer
 overflows in LibreOffice / OpenOffice

PRE-CERT Security Advisory

* Advisory: PRE-SA-2012-05
* Released on: 6 August 2012
* Affected product: LibreOffice < 3.5.5
                    Apache OpenOffice <= 3.4.0
* Impact: code execution
* Origin: encrypted office files
* CVSS Base Score: 9.3
    Impact Subscore: 10
    Exploitability Subscore: 8.6
  CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2665


Multiple issues have been identified in LibreOffice / OpenOffice that
allow to execute arbitrary code via specially crafted office files.

    Elements outside expected parent elements

    Initially, the aSequence attribute of a ManifestImport instance has
    no memory allocated for PropertyValue elements.
    ManifestImport::startElement() (re)allocates memory when
    a "manifest:file-entry" XML element is encountered in the manifest
    file. The property values are, for example, accessed when
    a "manifest:encryption-data" XML element is found. If such
    elements are located outside an expected parent element
    "manifest:file-entry", ManifestImport::startElement() accesses
    aSequence out-of-bounds.

    Writes beyond fixed size buffer

    ManifestImport::startElement() allocates memory for 12 (=
    PKG_SIZE_ENCR_MNFST) PropertValue elements. If
    a "manifest:file-entry" XML element has child elements that cause
    startElement() to access more than 12 PropertValues, startElement()
    accesses aSequence out-of-bounds.


    ManifestImport::startElement() calls Base64Codec::decodeBase64() to
    decode the XML attributes for checksums, initialization vectors, and
    salt values. Base64Codec::decodeBase64() implicitly assumes that the
    source buffer sBuffer contains a number of characters divisible by 4.
    If this is not the case, the called method FourByteToThreeByte()
    writes up to 3 bytes past a buffer allocated on the heap.


The issue has been fixed in LibreOffice 3.5.5.
An update to Apache OpenOffice is pending.


When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:


PRE-CERT can be reached under For PGP key
information, refer to

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists