Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file.

This update fixes memory corruption vulnerability in DOCM import and data exposure using crafted OLE objects.

LibreOffice was updated to version 4.0.3.3.26. (SUSE 4.0-patch26, tag suse-4.0-26, based on upstream 4.0.3.3).

Two security issues have been fixed :

  - DOCM memory corruption vulnerability. (CVE-2013-4156,     bnc#831578)

  - Data exposure using crafted OLE objects. (CVE-2014-3575,     bnc#893141) The following non-security issues have been     fixed :

  - chart shown flipped. (bnc#834722)

  - chart missing dataset. (bnc#839727)

  - import new line in text. (bnc#828390)

  - lines running off screens. (bnc#819614)

  - add set-all language menu. (bnc#863021)

  - text rotation. (bnc#783433, bnc#862510)

  - page border shadow testcase. (bnc#817956)

  - one more clickable field fix. (bnc#802888)

  - multilevel labels are rotated. (bnc#820273)

  - incorrect nested table margins. (bnc#816593)

  - use BitmapURL only if its valid. (bnc#821567)

  - import gradfill for text colors. (bnc#870234)

  - fix undo of paragraph attributes. (bnc#828598)

  - stop-gap solution to avoid crash. (bnc#830205)

  - import images with duotone filter. (bnc#820077)

  - missing drop downs for autofilter. (bnc#834705)

  - typos in first page style creation. (bnc#820836)

  - labels wrongly interpreted as dates. (bnc#834720)

  - RTF import of fFilled shape property. (bnc#825305)

  - placeholders text size is not correct. (bnc#831457)

  - cells value formatted with wrong output. (bnc#821795)

  - RTF import of freeform shape coordinates. (bnc#823655)

  - styles (rename &amp;) copy to different decks.
    (bnc#757432)

  - XLSX Chart import with internal data table. (bnc#819822)

  - handle M.d.yyyy date format in DOCX import. (bnc#820509)

  - paragraph style in empty first page header. (bnc#823651)

  - copying slides having same master page name.
    (bnc#753460)

  - printing handouts using the default, 'Order'.
    (bnc#835985)

  - wrap polygon was based on dest size of picture.
    (bnc#820800)

  - added common flags support for SEQ field import.
    (bnc#825976)

  - hyperlinks of illustration index in DOCX export.
    (bnc#834035)

  - allow insertion of redlines with an empty author.
    (bnc#837302)

  - handle drawinglayer rectangle inset in VML import.
    (bnc#779642)

  - don't apply complex font size to non-complex font.
    (bnc#820819)

  - issue with negative seeks in win32 shell extension.
    (bnc#829017)

  - slide appears quite garbled when imported from PPTX.
    (bnc#593612)

  - initial MCE support in writerfilter ooxml tokenizer.
    (bnc#820503)

  - MSWord uses \xb for linebreaks in DB fields, take 2.
    (bnc#878854)

  - try harder to convert floating tables to text frames.
    (bnc#779620)

  - itemstate in parent style incorrectly reported as set.
    (bnc#819865)

  - default color hidden by Default style in writerfilter.
    (bnc#820504)

  - DOCX document crashes when using internal OOXML filter.
    (bnc#382137)

  - ugly workaround for external leading with symbol fonts.
    (bnc#823626)

  - followup fix for exported xlsx causes errors for     mso2007. (bnc#823935)

  - we only support simple labels in the     InternalDataProvider. (bnc#864396)

  - RTF import: fix import of numbering bullet associated     font. (bnc#823675)

  - page specific footer extended to every pages in DOCX     export. (bnc#654230)

  - v:textbox mso-fit-shape-to-text style property in VML     import. (bnc#820788)

  - w:spacing in a paragraph should also apply to as-char     objects. (bnc#780044)

  - compatibility setting for MS Word wrapping text in less     space. (bnc#822908)

  - fix SwWrtShell::SelAll() to work with empty table at doc     start (bnc#825891)

A version of LibreOffice prior to 3.6.7 / 4.0.4 / 4.1.0 is installed on the remote Mac OS X host. It is, therefore, reportedly affected by a denial of service vulnerability.

A flaw exists in the .docm import filter that could cause a NULL dereference. This could allow a remote attacker with a specially crafted file to crash the application upon loading.

Note that Nessus has not attempted to exploit this issue, but has instead relied only on the self-reported version number.

A version of LibreOffice prior to 3.6.7 / 4.0.4 / 4.1.0 is installed on the remote Windows host. It is, therefore, reportedly affected by a denial of service vulnerability.

A flaw exists in the .docm import filter that could cause a NULL dereference. This could allow a remote attacker with a specially crafted file to crash the application upon loading.

Note that Nessus has not attempted to exploit this issue, but has instead relied only on the self-reported version number.

The version of Apache OpenOffice installed on the remote host is prior to 4.0. It is, therefore, affected by memory corruption vulnerabilities related to the handling of PLCF (Plex of Character Positions in File) data and unknown XML elements in OOXML files. This can lead to application crashes and, potentially, other unspecified impacts.

ID	Name	Product	Family	Severity
77693	openSUSE Security Update : LibreOffice (openSUSE-SU-2014:1126-1)	Nessus	SuSE Local Security Checks	medium
77663	SuSE 11.3 Security Update : LibreOffice (SAT Patch Number 9677)	Nessus	SuSE Local Security Checks	medium
73335	LibreOffice < 3.6.7 / 4.0.4 / 4.1.0 .docm Import DoS (Mac OS X)	Nessus	MacOS X Local Security Checks	medium
73334	LibreOffice < 3.6.7 / 4.0.4 / 4.1.0 .docm Import DoS	Nessus	Windows	medium
69185	Apache OpenOffice < 4.0 Multiple Memory Corruption Vulnerabilities	Nessus	Windows	medium

Detections

Analytics

CVE-2013-4156

high

Tenable Plugins

medium

medium

medium

medium

medium