oss-sec mailing list archives

Re: Kind request to update upstream CVE-2012-2334 advisories they to reflect arbitrary code execution possibility too and OSS list notification

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 29 May 2012 10:26:46 +0200

On 05/28/2012 05:09 PM, Jan Lieskovsky wrote:

Hello Apache OpenOffice.org, LibreOffice Security Teams, vendors,

originally the CVE-2012-2334 security flaw has been described as follows:
[1] http://www.openoffice.org/security/cves/CVE-2012-2334.html
[2] http://www.libreoffice.org/advisories/cve-2012-2334/

during internal audit of relevant upstream patches:
[3] http://cgit.freedesktop.org/libreoffice/core/commit/?id=28a6558f9d3ca2dda3191f8b5b3f2378ee2533da
[4] http://cgit.freedesktop.org/libreoffice/core/commit/?id=512401decb286ba0fc3031939b8f7de8649c502e

it has been observed by Florian Weimer that the [4] patch also corrected
and integer overflow, being present in the SvxMSDffManager::GetFidclData()
routine, which might lead under certain circumstances to possibility
of arbitrary code execution too.

Update CVE-2012-2334 flaw description is at:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=821803#c0

This post is intended to serve as kind request to OpenOffice.org and
LibreOffice upstream, they to update their corresponding advisories
([1], [2]) to reflect this fact.

For what is related against upstream patches -- upon testing we can confirm,
the original ones were complete and this is in no way a new security flaw.

But something, which got corrected upstream in previous release(s), and
should mention possibility of arbitrary code execution too in order to properly
describe this deficiency.

OpenOffice.org / LibreOffice upstreams - please update your advisories to
reflect this if possible yet.

OSS vendors, please note this notification (for case you previously categorized
fix for the CVE-2012-2334 flaw as something to be postponed due to lower
impact).


Hello Apache OpenOffice.org, LibreOffice Security Teams, vendors,

  updating the credit information yet it to sound more correctly / appropriately:


Credit for the discovery should go to: Florian Weimer of Red Hat


The above should have read as:
"Florian Weimer, Red Hat Product Security Team"

Please use this new / latter form in your advisories.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Would you need further background details due this, contact me or
Florian off list.

Current thread:

Kind request to update upstream CVE-2012-2334 advisories they to reflect arbitrary code execution possibility too and OSS list notification Jan Lieskovsky (May 28)
- Re: Kind request to update upstream CVE-2012-2334 advisories they to reflect arbitrary code execution possibility too and OSS list notification Jan Lieskovsky (May 29)
- Re: [Officesecurity] Kind request to update upstream CVE-2012-2334 advisories they to reflect arbitrary code execution possibility too and OSS list notification Caolán McNamara (May 29)