[PRE-SA-2012-05] Multiple heap-based buffer overflows in LibreOffice- / OpenOffice

From: Timo Warns <warns@pre-sense.de>
To: full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: [PRE-SA-2012-05] Multiple heap-based buffer overflows in LibreOffice- / OpenOffice

PRE-CERT Security Advisory

* Advisory: PRE-SA-2012-05
* Released on: 6 August 2012
* Affected product: LibreOffice < 3.5.5
                    Apache OpenOffice <= 3.4.0
* Impact: code execution
* Origin: encrypted office files
* CVSS Base Score: 9.3
    Impact Subscore: 10
    Exploitability Subscore: 8.6
  CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2665


Multiple issues have been identified in LibreOffice / OpenOffice that
allow to execute arbitrary code via specially crafted office files.

    Elements outside expected parent elements

    Initially, the aSequence attribute of a ManifestImport instance has
    no memory allocated for PropertyValue elements.
    ManifestImport::startElement() (re)allocates memory when
    a "manifest:file-entry" XML element is encountered in the manifest
    file. The property values are, for example, accessed when
    a "manifest:encryption-data" XML element is found. If such
    elements are located outside an expected parent element
    "manifest:file-entry", ManifestImport::startElement() accesses
    aSequence out-of-bounds.

    Writes beyond fixed size buffer

    ManifestImport::startElement() allocates memory for 12 (=
    PKG_SIZE_ENCR_MNFST) PropertValue elements. If
    a "manifest:file-entry" XML element has child elements that cause
    startElement() to access more than 12 PropertValues, startElement()
    accesses aSequence out-of-bounds.


    ManifestImport::startElement() calls Base64Codec::decodeBase64() to
    decode the XML attributes for checksums, initialization vectors, and
    salt values. Base64Codec::decodeBase64() implicitly assumes that the
    source buffer sBuffer contains a number of characters divisible by 4.
    If this is not the case, the called method FourByteToThreeByte()
    writes up to 3 bytes past a buffer allocated on the heap.


The issue has been fixed in LibreOffice 3.5.5.
An update to Apache OpenOffice is pending.



When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:



PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.

Copyright © 1995-2019 LinuxRocket.net. All rights reserved.