Vulnerabilities > CVE-2016-1513 - Out-of-bounds Read vulnerability in Apache Openoffice

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
apache
CWE-125
nessus
NVD
Published: 2016-08-05
Updated: 2017-09-01

Summary

The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1) ODP or (2) OTP file.

Vulnerable Configurations

Part Description Count
Application
Apache
31

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201703-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201703-01 (OpenOffice: User-assisted execution of arbitrary code) An exploitable out-of-bounds vulnerability exists in OpenOffice Impress when handling MetaActions. Impact : A remote attacker could entice a user to open a specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file using OpenOffice Impress, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97813
    published2017-03-20
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/97813
    titleGLSA-201703-01 : OpenOffice: User-assisted execution of arbitrary code
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201703-01.
#
# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(97813);
  script_version("$Revision: 3.5 $");
  script_cvs_date("$Date: 2017/11/09 15:49:25 $");

  script_cve_id("CVE-2016-1513");
  script_xref(name:"GLSA", value:"201703-01");

  script_name(english:"GLSA-201703-01 : OpenOffice: User-assisted execution of arbitrary code");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201703-01
(OpenOffice: User-assisted execution of arbitrary code)

    An exploitable out-of-bounds vulnerability exists in OpenOffice Impress
      when handling MetaActions.
  
Impact :

    A remote attacker could entice a user to open a specially crafted
      OpenDocument Presentation .ODP or Presentation Template .OTP file using
      OpenOffice Impress, possibly resulting in execution of arbitrary code
      with the privileges of the process or a Denial of Service condition.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.talosintelligence.com/reports/TALOS-2016-0051/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201703-01"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All OpenOffice users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=app-office/openoffice-bin-4.1.3'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openoffice-bin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-office/openoffice-bin", unaffected:make_list("ge 4.1.3"), vulnerable:make_list("lt 4.1.3"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenOffice");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-591.NASL
    descriptionAn OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in LibreOffice Impress. The defect may cause the document to appear as corrupted and LibreOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code. For Debian 7
    last seen2020-03-17
    modified2016-08-10
    plugin id92829
    published2016-08-10
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92829
    titleDebian DLA-591-1 : libreoffice security update
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-591-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92829);
  script_version("2.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2016-1513");

  script_name(english:"Debian DLA-591-1 : libreoffice security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An OpenDocument Presentation .ODP or Presentation Template .OTP file
can contain invalid presentation elements that lead to memory
corruption when the document is loaded in LibreOffice Impress. The
defect may cause the document to appear as corrupted and LibreOffice
may crash in a recovery-stuck mode requiring manual intervention. A
crafted exploitation of the defect can allow an attacker to cause
denial of service (memory corruption and application crash) and
possible execution of arbitrary code.

For Debian 7 'Wheezy', this problem have been fixed in version
3.5.4+dfsg2-0+deb7u8.

We recommend that you upgrade your libreoffice packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2016/08/msg00014.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/libreoffice"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:fonts-opensymbol");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-calc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-draw");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-emailmerge");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-evolution");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-binfilter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-mobiledev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gcj");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ca");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-cs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-da");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-de");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-dz");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-el");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-gb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-us");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-es");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-et");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-eu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-gl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-it");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ja");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-km");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ko");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-nl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-om");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt-br");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ru");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-cn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-tw");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-impress");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-java-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-kde");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-af");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ar");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-as");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ast");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-be");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-br");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ca");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-da");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-de");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-dz");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-el");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-gb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-za");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-es");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-et");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fa");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ga");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-he");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-id");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-in");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-is");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-it");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ja");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ka");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-km");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ko");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ku");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ne");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nso");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-oc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-om");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-or");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pa-in");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt-br");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ro");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ru");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-rw");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-si");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-st");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sv");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ta");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-te");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-th");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uz");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ve");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-vi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-xh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-za");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-cn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-tw");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-math");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-mysql-connector");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-officebean");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-ogltrans");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-pdfimport");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presentation-minimizer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presenter-console");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-bsh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-js");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-python");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-sdbc-postgresql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-crystal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-galaxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-hicontrast");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-oxygen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-tango");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-wiki-publisher");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-writer");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openoffice.org-dtd-officedocument1.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-uno");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-uno");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ttf-opensymbol");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"fonts-opensymbol", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-base", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-base-core", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-calc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-common", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-core", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-dbg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-dev", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-dev-doc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-draw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-emailmerge", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-evolution", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-filter-binfilter", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-filter-mobiledev", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-gcj", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-gnome", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-gtk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-gtk3", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-ca", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-cs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-da", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-de", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-dz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-el", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-en-gb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-en-us", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-es", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-et", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-eu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-fi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-fr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-gl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-hi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-hu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-it", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-ja", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-km", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-ko", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-nl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-om", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-pl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-pt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-pt-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-ru", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-sk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-sl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-sv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-cn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-tw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-impress", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-java-common", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-kde", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-af", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ar", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-as", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ast", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-be", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ca", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cy", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-da", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-de", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-dz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-el", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-gb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-za", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eo", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-es", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-et", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fa", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ga", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-he", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-id", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-in", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-is", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-it", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ja", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ka", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-km", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ko", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ku", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ml", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ne", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nso", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-oc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-om", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-or", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pa-in", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ro", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ru", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-rw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-si", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ss", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-st", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ta", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-te", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-th", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ts", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ug", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ve", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-vi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-xh", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-za", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-cn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-tw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-math", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-mysql-connector", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-officebean", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-ogltrans", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-pdfimport", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-presentation-minimizer", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-presenter-console", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-report-builder", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-report-builder-bin", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-bsh", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-js", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-python", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-sdbc-postgresql", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-style-crystal", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-style-galaxy", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-style-hicontrast", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-style-oxygen", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-style-tango", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-wiki-publisher", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"libreoffice-writer", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"openoffice.org-dtd-officedocument1.0", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"python-uno", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"python3-uno", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;
if (deb_check(release:"7.0", prefix:"ttf-opensymbol", reference:"3.5.4+dfsg2-0+deb7u8")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyWindows
    NASL idOPENOFFICE_413.NASL
    descriptionThe version of Apache OpenOffice installed on the remote host is a version prior to 4.1.3. It is, therefore, affected by the following vulnerabilities : - A memory corruption issue exists in the Impress tool due to improper validation of user-supplied input when handling elements in invalid presentations. An unauthenticated, remote attacker can exploit this, via specially crafted MetaActions in an ODP or OTP file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1513) - A privilege escalation vulnerability exists due to the use of an unquoted Windows search path. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-6803) - A privilege escalation vulnerability exists due to the use of a fixed path to load system binaries. A local attacker can exploit this, via a specially crafted DLL file in the library path, to inject and execute arbitrary code with elevated privileges. (CVE-2016-6804)
    last seen2020-06-01
    modified2020-06-02
    plugin id94199
    published2016-10-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94199
    titleApache OpenOffice < 4.1.3 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94199);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-1513", "CVE-2016-6803", "CVE-2016-6804");
  script_bugtraq_id(92079, 93774);

  script_name(english:"Apache OpenOffice < 4.1.3 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Apache OpenOffice.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application installed that is affected
by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Apache OpenOffice installed on the remote host is a
version prior to 4.1.3. It is, therefore, affected by the following
vulnerabilities :

  - A memory corruption issue exists in the Impress tool due
    to improper validation of user-supplied input when
    handling elements in invalid presentations. An
    unauthenticated, remote attacker can exploit this, via
    specially crafted MetaActions in an ODP or OTP file, to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-1513)

  - A privilege escalation vulnerability exists due to the
    use of an unquoted Windows search path. A local attacker
    can exploit this to execute arbitrary code with elevated
    privileges. (CVE-2016-6803)

  - A privilege escalation vulnerability exists due to the
    use of a fixed path to load system binaries. A local
    attacker can exploit this, via a specially crafted DLL
    file in the library path, to inject and execute
    arbitrary code with elevated privileges. (CVE-2016-6804)");
  script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-1513.html");
  script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6803.html");
  script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6804.html");
  script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache OpenOffice version 4.1.3 or later. Alternatively,
the vendor has released a hotfix for 4.1.2 that resolves
CVE-2016-1513. Note that the hotfix only resolves this one
vulnerability.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6804");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:openoffice");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openoffice_installed.nasl");
  script_require_keys("installed_sw/OpenOffice", "SMB/Registry/Enumerated");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");

app_name   = "OpenOffice";

get_kb_item_or_exit("SMB/Registry/Enumerated");

install    = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
build      = install['version'];
path       = install['path'];
version_ui = install['display_version'];

matches = eregmatch(string:build, pattern:"([0-9]+[a-z][0-9]+)\(Build:([0-9]+)\)");
if (isnull(matches)) audit(AUDIT_VER_FAIL, app_name);

buildid = int(matches[2]);

flag   = FALSE;
caveat = '';

# Version 4.1.2 is build 9782
if (buildid == 9782)
{
  # A hotfix was made available for version 4.1.2 called "Patch 1" that
  # updates tl.dll. The version of tl.dll does not change, so we check
  # the timestamp.
  fixed_ts  = 1467765120;
  file_path = hotfix_append_path(path:path, value:"\program\tl.dll");
  file_ts   = hotfix_get_timestamp(path:file_path);

  # If we were able to get a timestamp, determine vulnerability
  if (file_ts['error'] == HCF_OK)
  {
    file_ts = file_ts['value'];
    if (file_ts < fixed_ts)
      flag = TRUE;
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui + " (Patch 1)", path);
  }

  # If we weren't able to get a timestamp but report paranoia is Paranoid,
  # report the vuln with a caveat; otherwise, audit out.
  else if (report_paranoia > 1)
  {
    flag = TRUE;
    caveat = '  \nNote that Nessus was unable to determine if a hotfix has been applied.\n';
  }
  else
    audit(AUDIT_PARANOID);
}

# Version 4.1.3 is build 9783
else if (buildid < 9783)
  flag = TRUE;

if (!flag)
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui, path);

port = get_kb_item("SMB/transport");
if (!port) port = 445;

report =
  '\n  Path              : ' + path +
  '\n  Installed version : ' + version_ui +
  '\n  Fixed version     : 4.1.3 (413m1 / build 9783)' +
  '\n' + caveat;
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_72F71E264F6911E6AC37AC9E174BE3AF.NASL
    descriptionThe Apache OpenOffice Project reports : An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id92504
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92504
    titleFreeBSD : Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations) (72f71e26-4f69-11e6-ac37-ac9e174be3af)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2019 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(92504);
  script_version("2.7");
  script_cvs_date("Date: 2019/07/10 16:04:13");

  script_cve_id("CVE-2016-1513");

  script_name(english:"FreeBSD : Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations) (72f71e26-4f69-11e6-ac37-ac9e174be3af)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The Apache OpenOffice Project reports :

An OpenDocument Presentation .ODP or Presentation Template .OTP file
can contain invalid presentation elements that lead to memory
corruption when the document is loaded in Apache OpenOffice Impress.
The defect may cause the document to appear as corrupted and
OpenOffice may crash in a recovery-stuck mode requiring manual
intervention. A crafted exploitation of the defect can allow an
attacker to cause denial of service (memory corruption and application
crash) and possible execution of arbitrary code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.openoffice.org/security/cves/CVE-2015-4551.html"
  );
  # https://vuxml.freebsd.org/freebsd/72f71e26-4f69-11e6-ac37-ac9e174be3af.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?9a9858d1"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache-openoffice");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache-openoffice-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/22");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"apache-openoffice<4.1.2_8")) flag++;
if (pkg_test(save_report:TRUE, pkg:"apache-openoffice-devel<4.2.1753426,4")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3046-1.NASL
    descriptionYves Younan and Richard Johnson discovered that LibreOffice incorrectly handled presentation files. If a user were tricked into opening a specially crafted presentation file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id92750
    published2016-08-05
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92750
    titleUbuntu 12.04 LTS : libreoffice vulnerability (USN-3046-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3046-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92750);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:46");

  script_cve_id("CVE-2016-1513");
  script_xref(name:"USN", value:"3046-1");

  script_name(english:"Ubuntu 12.04 LTS : libreoffice vulnerability (USN-3046-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Yves Younan and Richard Johnson discovered that LibreOffice
incorrectly handled presentation files. If a user were tricked into
opening a specially crafted presentation file, a remote attacker could
cause LibreOffice to crash, and possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3046-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libreoffice-core package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"libreoffice-core", pkgver:"1:3.5.7-0ubuntu12")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core");
}

Seebug

bulletinFamilyexploit
description### Description An exploitable out-of-bounds vulnerability exists in OpenOffice when handling MetaActions. A specially crafted Open Office Impress file can cause an out-of-bounds read/write resulting in potential code execution. An attacker can provide the malicious file to trigger this vulnerability. ### Tested Versions Apache Open Office 4.1.1 ### Product URLs http://openoffice.apache.org ### Details In the attached sample an out of bounds occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in a delete of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be followed at line 229 with an out-of-bounds write, writing a new pointer which is gotten by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx: ``` void PolyPolygon::Replace( const Polygon& rPoly, saluInt16 nPos ) { DBGCHKTHIS( PolyPolygon, NULL ); DBG_ASSERT( nPos < Count(), "PolyPolygon::Replace(): nPos >= nSize" ); if ( mpImplPolyPolygon->mnRefCount > 1 ) { mpImplPolyPolygon->mnRefCount--; mpImplPolyPolygon = new ImplPolyPolygon( *mpImplPolyPolygon ); } delete mpImplPolyPolygon->mpPolyAry[nPos]; mpImplPolyPolygon->mpPolyAry[nPos] = new Polygon( rPoly ); } ``` While there is a check to ensure that npos is smaller than the array size at line 220, it is simple an assert that is only enabled in debug mode. The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189: ``` rIStm >> nNumberOfComplexPolygons; for ( i = 0; i < nNumberOfComplexPolygons; i++ ) { rIStm >> nIndex; Polygon aPoly; aPoly.Read( rIStm ); maPolyPoly.Replace( aPoly, nIndex ); } ``` Here is the call stack when the problem occurs: ``` 00afe04c 68c2109f tl!Polygon::~Polygon+0x48 [d:\aoo\main\tools\source\generic\poly.cxx @ 667] 00afe058 68c2cb8b tl!Polygon::`scalar deleting destructor'+0xf 00afe0b0 67b3be7e tl!PolyPolygon::Replace+0x10b [d:\aoo\main\tools\source\generic\poly2.cxx @ 228] 00afe0f4 67b374ac vcl!MetaPolyPolygonAction::Read+0xce [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 1193] 00afe3c0 67aee49d vcl!MetaAction::ReadMetaAction+0x144c [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 247] 00afe43c 67b1944d vcl!operator>>+0x19d [d:\aoo\main\vcl\source\gdi\gdimtf.cxx @ 2918] 00afe804 67afc9fb vcl!operator>>+0x4ad [d:\aoo\main\vcl\source\gdi\impgraph.cxx @ 1826] 00afe814 66e97234 vcl!operator>>+0x1b [d:\aoo\main\vcl\source\gdi\graph.cxx @ 818] 00afebcc 665dde56 svt!GraphicFilter::ImportGraphic+0x9b4 [d:\aoo\main\svtools\source\filter\filter.cxx @ 1637] 00afecb4 665dd95f svxcore!SdrGrafObj::ImpSwapHdl+0x4e6 [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1557] 00afecc0 68bceb64 svxcore!SdrGrafObj::LinkStubImpSwapHdl+0xf [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1481] 00afecd8 66ef08f8 tl!Link::Call+0x24 [d:\aoo\main\solver\411\wntmsci12\inc\tools\link.hxx @ 135] 00afecec 66eef8aa svt!GraphicObject::GetSwapStream+0x28 [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 480] 00afed44 66ef105f svt!GraphicObject::ImplAutoSwapIn+0xca [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 264] 00afed50 665da3fa svt!GraphicObject::FireSwapInRequest+0xf [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 598] 00afed80 664b6b70 svxcore!SdrGrafObj::ForceSwapIn+0x10a [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 706] 00afed94 664b67e2 svxcore!sdr::contact::ViewObjectContactOfGraphic::doAsynchGraphicLoading+0x50 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 218] 00afeda0 664c0449 svxcore!sdr::event::AsynchGraphicLoadingEvent::ExecuteEvent+0x12 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 72] 00afedbc 664c0688 svxcore!sdr::event::EventHandler::ExecuteEvents+0x29 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 114] 00afedc8 679bc1f1 svxcore!sdr::event::TimerEventHandler::Timeout+0x18 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 147] 00afedf4 6790c1a8 vcl!Timer::ImplTimerCallbackProc+0xd1 [d:\aoo\main\vcl\source\app\timer.cxx @ 142] 00afee00 6790c0a9 vcl!SalTimer::CallCallback+0x18 [d:\aoo\main\vcl\inc\saltimer.hxx @ 62] 00afee48 67905335 vcl!SalTimerProc+0xe9 [d:\aoo\main\vcl\win\source\app\saltimer.cxx @ 129] 00afee84 67905621 vcl!SalComWndProc+0x275 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 837] 00afeed4 75ddc4e7 vcl!SalComWndProcW+0x61 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 885] 00afef00 75ddc5e7 USER32!InternalCallWinProc+0x23 00afef78 75ddcc19 USER32!UserCallWinProcCheckWow+0x14b 00afefd8 75ddcc70 USER32!DispatchMessageWorker+0x35e 00afefe8 678ec7ed USER32!DispatchMessageW+0xf 00afeff4 67904f35 vcl!ImplDispatchMessage+0xd [d:\aoo\main\vcl\win\source\app\saldata.cxx @ 163] 00aff008 67904e4d vcl!ImplSalDispatchMessage+0x35 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 663] 00aff038 67905050 vcl!ImplSalYield+0x5d [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 683] 00aff060 679ab4ce vcl!WinSalInstance::Yield+0xe0 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 745] 00aff078 679ab59f vcl!ImplYield+0x8e [d:\aoo\main\vcl\source\app\svapp.cxx @ 477] 00aff088 679ab3f1 vcl!Application::Yield+0xf [d:\aoo\main\vcl\source\app\svapp.cxx @ 510] 00aff098 69b9bade vcl!Application::Execute+0x31 [d:\aoo\main\vcl\source\app\svapp.cxx @ 453] 00aff734 679b9866 sofficeapp!desktop::Desktop::Main+0x2c8e [d:\aoo\main\desktop\source\app\app.cxx @ 2234] 00aff768 679b9a13 vcl!ImplSVMain+0xa6 [d:\aoo\main\vcl\source\app\svmain.cxx @ 197] 00aff774 69be162a vcl!SVMain+0x23 [d:\aoo\main\vcl\source\app\svmain.cxx @ 238] 00aff7dc 01361098 sofficeapp!sofficemain+0xea [d:\aoo\main\desktop\source\app\sofficemain.cxx @ 47] 00aff7e4 01361039 soffice!salmain+0x8 [d:\aoo\main\desktop\source\app\main.c @ 32] 00aff7f0 01361078 soffice!main+0x19 [d:\aoo\main\desktop\source\app\main.c @ 30] 00aff808 0136125c soffice!WinMain+0x28 [d:\aoo\main\desktop\source\app\main.c @ 30] 00aff898 7622ee1c soffice!tmainCRTStartup+0x140 [f:\dd\vctools\crtbld\selfx86\crt\src\crtexe.c @ 578] 00aff8a4 775437eb kernel32!BaseThreadInitThunk+0xe 00aff8e4 775437be ntdll!RtlUserThreadStart+0x70 00aff8fc 00000000 ntdll!_RtlUserThreadStart+0x1b ``` ### Timeline * 2015-10-08 - Initial Vendor Contact * 2016-10-30 - Second Vendor Contact * 2016-01-13 - Vendor review and communication * 2016-07-21 - Patch released
idSSV:96692
last seen2017-11-19
modified2017-10-16
published2017-10-16
reporterRoot
titleOpenOffice Impress MetaActions Arbitrary Read Write Vulnerability(CVE-2016-1513)

Talos

idTALOS-2016-0051
last seen2019-05-29
published2016-07-21
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0051
titleOpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

References