Multiple heap-based buffer overflows in the XML manifest encryption tag parsing functionality in OpenOffice.org and LibreOffice before 3.5.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Open Document Text (.odt) file with (1) a child tag within an incorrect parent tag, (2) duplicate tags, or (3) a Base64 ChecksumAttribute whose length is not evenly divisible by four.

The remote host is affected by the vulnerability described in GLSA-201408-19 (OpenOffice, LibreOffice: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenOffice and       Libreoffice. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to open a specially crafted file       using OpenOffice, possibly resulting in execution of arbitrary code with       the privileges of the process, a Denial of Service condition, execution       of arbitrary Python code, authentication bypass, or reading and writing       of arbitrary files.
  Workaround :

    There is no known workaround at this time.

From Red Hat Security Advisory 2012:1135 :

Updated libreoffice packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

LibreOffice is an open source, community-developed office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Multiple heap-based buffer overflow flaws were found in the way LibreOffice processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially crafted OpenDocument Format file that, when opened in a LibreOffice application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2665)

Upstream acknowledges Timo Warns as the original reporter of these issues.

All LibreOffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
All running instances of LibreOffice applications must be restarted for this update to take effect.

The version of IBM Lotus Symphony is a version prior to 3.0.1 Fix Pack 2.  Such versions are affected by multiple vulnerabilities :

  - Flaws exist in the way certain XML components are     processed for external entities in ODF documents.
    These flaws can be utilized to access and inject the     content of local files into an ODF document without a     user's knowledge or permission, or inject arbitrary code     that would be executed when opened by the user.
    (CVE-2012-0037)

  - An integer overflow error exists in 'vclmi.dll' that     can allow heap-based buffer overflows when handling     embedded image objects. (CVE-2012-1149)

  - Memory checking errors exist in     'filter/source/msfilter msdffimp.cxx' that can be     triggered when processing PowerPoint graphics records.
    These errors can allow denial of service attacks.
    (CVE-2012-2334)

  - Errors exist related to XML tag handling and base64     decoding that can lead to heap-based buffer overflows.
    (CVE-2012-2665)

The remote host is affected by the vulnerability described in GLSA-201209-05 (LibreOffice: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in LibreOffice:
      The Microsoft Word Document parser contains an out-of-bounds read         error (CVE-2011-2713).
      The Raptor RDF parser contains an XML External Entity expansion error         (CVE-2012-0037).
      The graphic loading parser contains an integer overflow error which         could cause a heap-based buffer overflow (CVE-2012-1149).
      Multiple errors in the XML manifest handling code could cause a         heap-based buffer overflow (CVE-2012-2665).
  Impact :

    A remote attacker could entice a user to open a specially crafted       document file using LibreOffice, possibly resulting in execution of       arbitrary code with the privileges of the process or a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

A Security issue was identified and fixed in libreoffice :

Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution (CVE-2012-2665).

libreoffice for Mandriva Linux 2011 has been upgraded to the 3.5.5 version which is not vulnerable to this issue.

The version of Apache OpenOffice installed on the remote host is prior to 3.4.1. It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities related to XML manifest handling :

  - An error exists related to handling the XML tag     hierarchy.

  - A boundary error exists when handling the duplication     of certain unspecified XML tags.

  - An error exists in the base64 decoder related to XML     export actions.

It was discovered that OpenOffice.org incorrectly handled certain encryption tags in Open Document Text (.odt) files. If a user were tricked into opening a specially crafted file, an attacker could cause OpenOffice.org to crash or possibly execute arbitrary code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibreOffice incorrectly handled certain encryption tags in Open Document Text (.odt) files. If a user were tricked into opening a specially crafted file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A version of LibreOffice prior to 3.5.5 is installed on the remote Mac OS X host.  It is, therefore, reportedly affected by multiple heap-based buffer overflow vulnerabilities related to XML manifest handling :

  - An error exists related to handling the XML tag     hierarchy.

  - A boundary error exists when handling the duplication     of certain unspecified XML tags.

  - An error exists in the base64 decoder related to XML     export actions.

A version of LibreOffice prior to 3.5.5 is installed on the remote Windows host.  It is, therefore, reportedly affected by multiple heap-based buffer overflow vulnerabilities related to XML manifest handling :

  - An error exists related to handling the XML tag     hierarchy.

  - A boundary error exists when handling the duplication     of certain unspecified XML tags.

  - An error exists in the base64 decoder related to XML     export actions.

OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Multiple heap-based buffer overflow flaws were found in the way OpenOffice.org processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially crafted OpenDocument Format file that, when opened in an OpenOffice.org application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2665)

All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
All running instances of OpenOffice.org applications must be restarted for this update to take effect.

LibreOffice is an open source, community-developed office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Multiple heap-based buffer overflow flaws were found in the way LibreOffice processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially crafted OpenDocument Format file that, when opened in a LibreOffice application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2665)

All LibreOffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
All running instances of LibreOffice applications must be restarted for this update to take effect.

Timo Warns from PRE-CERT discovered multiple heap-based buffer overflows in OpenOffice.org, an office productivity suite. The issues lies in the XML manifest encryption tag parsing code. Using specially crafted files, an attacker can cause application crash and could cause arbitrary code execution.

Updated openoffice.org packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Multiple heap-based buffer overflow flaws were found in the way OpenOffice.org processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially crafted OpenDocument Format file that, when opened in an OpenOffice.org application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2665)

Upstream acknowledges Timo Warns as the original reporter of these issues.

All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
All running instances of OpenOffice.org applications must be restarted for this update to take effect.

Updated libreoffice packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

LibreOffice is an open source, community-developed office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Multiple heap-based buffer overflow flaws were found in the way LibreOffice processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially crafted OpenDocument Format file that, when opened in a LibreOffice application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2665)

Upstream acknowledges Timo Warns as the original reporter of these issues.

All LibreOffice users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
All running instances of LibreOffice applications must be restarted for this update to take effect.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2012:1135 advisory.

  - openoffice.org, libreoffice: Multiple heap-based buffer overflows in the XML manifest encryption handling     code (CVE-2012-2665)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
77467	GLSA-201408-19 : OpenOffice, LibreOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
68591	Oracle Linux 6 : libreoffice (ELSA-2012-1135)	Nessus	Oracle Linux Local Security Checks	high
63266	IBM Lotus Symphony < 3.0.1 Fix Pack 2 Multiple Vulnerabilities	Nessus	Windows	high
62286	GLSA-201209-05 : LibreOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
61973	Mandriva Linux Security Advisory : libreoffice (MDVSA-2012:123)	Nessus	Mandriva Local Security Checks	high
61731	Apache OpenOffice < 3.4.1 Multiple Heap-Based Buffer Overflows	Nessus	Windows	high
61526	Ubuntu 10.04 LTS : openoffice.org vulnerability (USN-1537-1)	Nessus	Ubuntu Local Security Checks	high
61525	Ubuntu 11.04 / 11.10 / 12.04 LTS : libreoffice vulnerability (USN-1536-1)	Nessus	Ubuntu Local Security Checks	high
61498	Fedora 16 : libreoffice-3.4.5.2-18.fc16 (2012-11402)	Nessus	Fedora Local Security Checks	high
61433	LibreOffice < 3.5.5 Multiple Heap-Based Buffer Overflows (Mac OS X)	Nessus	MacOS X Local Security Checks	high
61432	LibreOffice < 3.5.5 Multiple Heap-Based Buffer Overflows	Nessus	Windows	high
61410	Scientific Linux Security Update : openoffice.org on SL5.x i386/x86_64 (20120801)	Nessus	Scientific Linux Local Security Checks	high
61409	Scientific Linux Security Update : libreoffice on SL6.x i386/x86_64 (20120801)	Nessus	Scientific Linux Local Security Checks	high
61401	Debian DSA-2520-1 : openoffice.org - Multiple heap-based buffer overflows	Nessus	Debian Local Security Checks	high
61398	CentOS 5 : openoffice.org (CESA-2012:1136)	Nessus	CentOS Local Security Checks	high
61397	CentOS 6 : libreoffice (CESA-2012:1135)	Nessus	CentOS Local Security Checks	high
61390	RHEL 5 : openoffice.org (RHSA-2012:1136)	Nessus	Red Hat Local Security Checks	high
61389	RHEL 6 : libreoffice (RHSA-2012:1135)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2012-2665

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high