Use-after-free vulnerability in LibreOffice before 5.1.4 allows remote attackers to execute arbitrary code via a crafted RTF file, related to stylesheet and superscript tokens.

The remote host is affected by the vulnerability described in GLSA-201611-03 (LibreOffice, OpenOffice: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in both LibreOffice and       OpenOffice.  Please review the referenced CVE&rsquo;s for specific       information regarding each.
  Impact :

    Remote attackers could obtain sensitive information, cause a Denial of       Service condition, or execute arbitrary code.
  Workaround :

    There is no known work around at this time.

LibreOffice was updated to version 5.1.5.2, bringing enhancements and bug fixes.

  - CVE-2016-4324: Parsing the Rich Text Format character     style index was insufficiently checked for validity.
    Documents could be constructed which dereference an     iterator to the first entry of an empty STL container.
    (bsc#987553)

  - Don't use 'nullable' for introspection, as it isn't     available on SLE 12's version of gobject-introspection.
    This prevents a segmentation fault in gnome-documents.
    (bsc#1000102)

This update was imported from the SUSE:SLE-12:Update update project.

LibreOffice was updated to version 5.1.5.2, bringing enhancements and bug fixes.

  - CVE-2016-4324: Parsing the Rich Text Format character     style index was insufficiently checked for validity.
    Documents could be constructed which dereference an     iterator to the first entry of an empty STL container.
    (bsc#987553)

  - Don't use 'nullable' for introspection, as it isn't     available on SLE 12's version of gobject-introspection.
    This prevents a segmentation fault in gnome-documents.
    (bsc#1000102)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened.

For Debian 7 'Wheezy', these problems have been fixed in version 1:3.5.4+dfsg2-0+deb7u7.

We recommend that you upgrade your libreoffice packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Talos reports :

An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application.

Security fix for CVE-2016-4324

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of LibreOffice installed on the remote macOS or Mac OS X host is prior to 5.1.4. It is, therefore, affected by a use-after-free error due to improper handling of the character style index when parsing RTF files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted RTF file, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LibreOffice installed on the remote Windows host is prior to 5.1.4. It is, therefore, affected by a use-after-free error during Rich Text Format (RTF) file parsing due to improper validation of the RTF character style index. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted RTF file, to execute arbitrary code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3022-1 advisory.

    It was discovered that LibreOffice incorrectly handled RTF document files. If a user were tricked into     opening a specially crafted RTF document, a remote attacker could cause LibreOffice to crash, and possibly     execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened.

ID	Name	Product	Family	Severity
94594	GLSA-201611-03 : LibreOffice, OpenOffice: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
94088	openSUSE Security Update : libreoffice (openSUSE-2016-1192)	Nessus	SuSE Local Security Checks	high
93910	SUSE SLED12 Security Update : libreoffice (SUSE-SU-2016:2472-1)	Nessus	SuSE Local Security Checks	high
92704	Debian DLA-581-1 : libreoffice security update	Nessus	Debian Local Security Checks	high
92340	FreeBSD : libreoffice -- use-after-free vulnerability (3159cd70-4aaa-11e6-a7bd-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
92302	Fedora 23 : 1:libreoffice (2016-f0552e1341)	Nessus	Fedora Local Security Checks	high
91975	LibreOffice < 5.1.4 RTF Character Style Index RCE (macOS)	Nessus	MacOS X Local Security Checks	high
91974	LibreOffice < 5.1.4 RTF Character Style Index RCE	Nessus	Windows	high
91893	Ubuntu 16.04 LTS : LibreOffice vulnerability (USN-3022-1)	Nessus	Ubuntu Local Security Checks	high
91891	Debian DSA-3608-1 : libreoffice - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2016-4324

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high