PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2012-05 * Released on: 6 August 2012 * Affected product: LibreOffice < 3.5.5 Apache OpenOffice <= 3.4.0 * Impact: code execution * Origin: encrypted office files * CVSS Base Score: 9.3 Impact Subscore: 10 Exploitability Subscore: 8.6 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-2665 Summary ------- Multiple issues have been identified in LibreOffice / OpenOffice that allow to execute arbitrary code via specially crafted office files. Elements outside expected parent elements ----------------------------------------- Initially, the aSequence attribute of a ManifestImport instance has no memory allocated for PropertyValue elements. ManifestImport::startElement() (re)allocates memory when a "manifest:file-entry" XML element is encountered in the manifest file. The property values are, for example, accessed when a "manifest:encryption-data" XML element is found. If such elements are located outside an expected parent element "manifest:file-entry", ManifestImport::startElement() accesses aSequence out-of-bounds. Writes beyond fixed size buffer ------------------------------- ManifestImport::startElement() allocates memory for 12 (= PKG_SIZE_ENCR_MNFST) PropertValue elements. If a "manifest:file-entry" XML element has child elements that cause startElement() to access more than 12 PropertValues, startElement() accesses aSequence out-of-bounds. Base64Codec::decodeBase64() --------------------------- ManifestImport::startElement() calls Base64Codec::decodeBase64() to decode the XML attributes for checksums, initialization vectors, and salt values. Base64Codec::decodeBase64() implicitly assumes that the source buffer sBuffer contains a number of characters divisible by 4. If this is not the case, the called method FourByteToThreeByte() writes up to 3 bytes past a buffer allocated on the heap. Solution -------- The issue has been fixed in LibreOffice 3.5.5. An update to Apache OpenOffice is pending. References ---------- http://www.libreoffice.org/advisories/CVE-2012-2665/ https://bugzilla.redhat.com/show_bug.cgi?id=826077 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-05.txt Contact -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/.