[PRE-SA-2012-05] Multiple heap-based buffer overflows in LibreOffice / OpenOffice Aug 10 2012 07:58AM
Timo Warns (warns pre-sense de)
PRE-CERT Security Advisory

* Advisory: PRE-SA-2012-05
* Released on: 6 August 2012
* Affected product: LibreOffice < 3.5.5
Apache OpenOffice <= 3.4.0
* Impact: code execution
* Origin: encrypted office files
* CVSS Base Score: 9.3
Impact Subscore: 10
Exploitability Subscore: 8.6
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2665


Multiple issues have been identified in LibreOffice / OpenOffice that
allow to execute arbitrary code via specially crafted office files.

Elements outside expected parent elements

Initially, the aSequence attribute of a ManifestImport instance has
no memory allocated for PropertyValue elements.
ManifestImport::startElement() (re)allocates memory when
a "manifest:file-entry" XML element is encountered in the manifest
file. The property values are, for example, accessed when
a "manifest:encryption-data" XML element is found. If such
elements are located outside an expected parent element
"manifest:file-entry", ManifestImport::startElement() accesses
aSequence out-of-bounds.

Writes beyond fixed size buffer

ManifestImport::startElement() allocates memory for 12 (=
PKG_SIZE_ENCR_MNFST) PropertValue elements. If
a "manifest:file-entry" XML element has child elements that cause
startElement() to access more than 12 PropertValues, startElement()
accesses aSequence out-of-bounds.


ManifestImport::startElement() calls Base64Codec::decodeBase64() to
decode the XML attributes for checksums, initialization vectors, and
salt values. Base64Codec::decodeBase64() implicitly assumes that the
source buffer sBuffer contains a number of characters divisible by 4.
If this is not the case, the called method FourByteToThreeByte()
writes up to 3 bytes past a buffer allocated on the heap.


The issue has been fixed in LibreOffice 3.5.5.
An update to Apache OpenOffice is pending.



When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:



PRE-CERT can be reached under precert (at) pre-secure (dot) de. [email concealed] For PGP key
information, refer to http://www.pre-cert.de/.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus