Vulnerabilities > CVE-2016-1513 - Out-of-bounds Write vulnerability in Apache Openoffice
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote attackers to cause a denial of service (out-of-bounds read or write) or execute arbitrary code via crafted MetaActions in an (1) ODP or (2) OTP file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201703-01.NASL description The remote host is affected by the vulnerability described in GLSA-201703-01 (OpenOffice: User-assisted execution of arbitrary code) An exploitable out-of-bounds vulnerability exists in OpenOffice Impress when handling MetaActions. Impact : A remote attacker could entice a user to open a specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file using OpenOffice Impress, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97813 published 2017-03-20 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97813 title GLSA-201703-01 : OpenOffice: User-assisted execution of arbitrary code code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201703-01. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(97813); script_version("$Revision: 3.5 $"); script_cvs_date("$Date: 2017/11/09 15:49:25 $"); script_cve_id("CVE-2016-1513"); script_xref(name:"GLSA", value:"201703-01"); script_name(english:"GLSA-201703-01 : OpenOffice: User-assisted execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201703-01 (OpenOffice: User-assisted execution of arbitrary code) An exploitable out-of-bounds vulnerability exists in OpenOffice Impress when handling MetaActions. Impact : A remote attacker could entice a user to open a specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file using OpenOffice Impress, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://www.talosintelligence.com/reports/TALOS-2016-0051/" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201703-01" ); script_set_attribute( attribute:"solution", value: "All OpenOffice users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-office/openoffice-bin-4.1.3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openoffice-bin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-office/openoffice-bin", unaffected:make_list("ge 4.1.3"), vulnerable:make_list("lt 4.1.3"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenOffice"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-591.NASL description An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in LibreOffice Impress. The defect may cause the document to appear as corrupted and LibreOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code. For Debian 7 last seen 2020-03-17 modified 2016-08-10 plugin id 92829 published 2016-08-10 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92829 title Debian DLA-591-1 : libreoffice security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-591-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(92829); script_version("2.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-1513"); script_name(english:"Debian DLA-591-1 : libreoffice security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in LibreOffice Impress. The defect may cause the document to appear as corrupted and LibreOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code. For Debian 7 'Wheezy', this problem have been fixed in version 3.5.4+dfsg2-0+deb7u8. We recommend that you upgrade your libreoffice packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/08/msg00014.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/libreoffice" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:fonts-opensymbol"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-calc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-draw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-emailmerge"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-evolution"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-binfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-mobiledev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gcj"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-dz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-us"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-om"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-tw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-impress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-java-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-kde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-af"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-as"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-be"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-dz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ga"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-he"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-id"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-is"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ka"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ku"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ne"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nso"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-oc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-om"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-or"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pa-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ro"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-rw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-si"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-st"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-te"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-th"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ve"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-vi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-xh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-tw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-math"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-mysql-connector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-officebean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-ogltrans"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-pdfimport"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presentation-minimizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presenter-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-bsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-js"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-sdbc-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-crystal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-galaxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-hicontrast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-oxygen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-tango"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-wiki-publisher"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-writer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openoffice.org-dtd-officedocument1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-uno"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-uno"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ttf-opensymbol"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"fonts-opensymbol", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-base", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-base-core", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-calc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-common", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-core", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dbg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dev", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dev-doc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-draw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-emailmerge", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-evolution", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-filter-binfilter", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-filter-mobiledev", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gcj", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gnome", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gtk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gtk3", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ca", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-cs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-da", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-de", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-dz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-el", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-en-gb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-en-us", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-es", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-et", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-eu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-fi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-fr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-gl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-hi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-hu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-it", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ja", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-km", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ko", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-nl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-om", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pt-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ru", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-cn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-tw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-impress", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-java-common", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-kde", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-af", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ar", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-as", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ast", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-be", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ca", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cs", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cy", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-da", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-de", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-dz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-el", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-gb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-za", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eo", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-es", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-et", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fa", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ga", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-he", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-id", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-in", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-is", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-it", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ja", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ka", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-km", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ko", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ku", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ml", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nb", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ne", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nso", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-oc", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-om", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-or", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pa-in", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt-br", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ro", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ru", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-rw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-si", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sl", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ss", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-st", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sv", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ta", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-te", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tg", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-th", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tr", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ts", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ug", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uk", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uz", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ve", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-vi", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-xh", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-za", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-cn", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-tw", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zu", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-math", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-mysql-connector", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-officebean", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-ogltrans", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-pdfimport", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-presentation-minimizer", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-presenter-console", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-report-builder", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-report-builder-bin", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-bsh", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-js", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-python", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-sdbc-postgresql", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-crystal", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-galaxy", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-hicontrast", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-oxygen", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-tango", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-wiki-publisher", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-writer", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"openoffice.org-dtd-officedocument1.0", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"python-uno", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"python3-uno", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (deb_check(release:"7.0", prefix:"ttf-opensymbol", reference:"3.5.4+dfsg2-0+deb7u8")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Windows NASL id OPENOFFICE_413.NASL description The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.3. It is, therefore, affected by the following vulnerabilities : - A memory corruption issue exists in the Impress tool due to improper validation of user-supplied input when handling elements in invalid presentations. An unauthenticated, remote attacker can exploit this, via specially crafted MetaActions in an ODP or OTP file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1513) - A privilege escalation vulnerability exists due to the use of an unquoted Windows search path. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-6803) - A privilege escalation vulnerability exists due to the use of a fixed path to load system binaries. A local attacker can exploit this, via a specially crafted DLL file in the library path, to inject and execute arbitrary code with elevated privileges. (CVE-2016-6804) last seen 2020-06-01 modified 2020-06-02 plugin id 94199 published 2016-10-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94199 title Apache OpenOffice < 4.1.3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94199); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-1513", "CVE-2016-6803", "CVE-2016-6804"); script_bugtraq_id(92079, 93774); script_name(english:"Apache OpenOffice < 4.1.3 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Apache OpenOffice."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.3. It is, therefore, affected by the following vulnerabilities : - A memory corruption issue exists in the Impress tool due to improper validation of user-supplied input when handling elements in invalid presentations. An unauthenticated, remote attacker can exploit this, via specially crafted MetaActions in an ODP or OTP file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1513) - A privilege escalation vulnerability exists due to the use of an unquoted Windows search path. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2016-6803) - A privilege escalation vulnerability exists due to the use of a fixed path to load system binaries. A local attacker can exploit this, via a specially crafted DLL file in the library path, to inject and execute arbitrary code with elevated privileges. (CVE-2016-6804)"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-1513.html"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6803.html"); script_set_attribute(attribute:"see_also", value:"https://www.openoffice.org/security/cves/CVE-2016-6804.html"); script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache OpenOffice version 4.1.3 or later. Alternatively, the vendor has released a hotfix for 4.1.2 that resolves CVE-2016-1513. Note that the hotfix only resolves this one vulnerability."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6804"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:openoffice"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("openoffice_installed.nasl"); script_require_keys("installed_sw/OpenOffice", "SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); app_name = "OpenOffice"; get_kb_item_or_exit("SMB/Registry/Enumerated"); install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); build = install['version']; path = install['path']; version_ui = install['display_version']; matches = eregmatch(string:build, pattern:"([0-9]+[a-z][0-9]+)\(Build:([0-9]+)\)"); if (isnull(matches)) audit(AUDIT_VER_FAIL, app_name); buildid = int(matches[2]); flag = FALSE; caveat = ''; # Version 4.1.2 is build 9782 if (buildid == 9782) { # A hotfix was made available for version 4.1.2 called "Patch 1" that # updates tl.dll. The version of tl.dll does not change, so we check # the timestamp. fixed_ts = 1467765120; file_path = hotfix_append_path(path:path, value:"\program\tl.dll"); file_ts = hotfix_get_timestamp(path:file_path); # If we were able to get a timestamp, determine vulnerability if (file_ts['error'] == HCF_OK) { file_ts = file_ts['value']; if (file_ts < fixed_ts) flag = TRUE; else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui + " (Patch 1)", path); } # If we weren't able to get a timestamp but report paranoia is Paranoid, # report the vuln with a caveat; otherwise, audit out. else if (report_paranoia > 1) { flag = TRUE; caveat = ' \nNote that Nessus was unable to determine if a hotfix has been applied.\n'; } else audit(AUDIT_PARANOID); } # Version 4.1.3 is build 9783 else if (buildid < 9783) flag = TRUE; if (!flag) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_ui, path); port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Path : ' + path + '\n Installed version : ' + version_ui + '\n Fixed version : 4.1.3 (413m1 / build 9783)' + '\n' + caveat; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_72F71E264F6911E6AC37AC9E174BE3AF.NASL description The Apache OpenOffice Project reports : An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 92504 published 2016-07-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92504 title FreeBSD : Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations) (72f71e26-4f69-11e6-ac37-ac9e174be3af) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(92504); script_version("2.7"); script_cvs_date("Date: 2019/07/10 16:04:13"); script_cve_id("CVE-2016-1513"); script_name(english:"FreeBSD : Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations) (72f71e26-4f69-11e6-ac37-ac9e174be3af)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The Apache OpenOffice Project reports : An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.openoffice.org/security/cves/CVE-2015-4551.html" ); # https://vuxml.freebsd.org/freebsd/72f71e26-4f69-11e6-ac37-ac9e174be3af.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9a9858d1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache-openoffice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache-openoffice-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"apache-openoffice<4.1.2_8")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache-openoffice-devel<4.2.1753426,4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3046-1.NASL description Yves Younan and Richard Johnson discovered that LibreOffice incorrectly handled presentation files. If a user were tricked into opening a specially crafted presentation file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92750 published 2016-08-05 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92750 title Ubuntu 12.04 LTS : libreoffice vulnerability (USN-3046-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3046-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(92750); script_version("2.11"); script_cvs_date("Date: 2019/09/18 12:31:46"); script_cve_id("CVE-2016-1513"); script_xref(name:"USN", value:"3046-1"); script_name(english:"Ubuntu 12.04 LTS : libreoffice vulnerability (USN-3046-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Yves Younan and Richard Johnson discovered that LibreOffice incorrectly handled presentation files. If a user were tricked into opening a specially crafted presentation file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3046-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libreoffice-core package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/05"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libreoffice-core", pkgver:"1:3.5.7-0ubuntu12")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core"); }
Seebug
bulletinFamily | exploit |
description | ### Description An exploitable out-of-bounds vulnerability exists in OpenOffice when handling MetaActions. A specially crafted Open Office Impress file can cause an out-of-bounds read/write resulting in potential code execution. An attacker can provide the malicious file to trigger this vulnerability. ### Tested Versions Apache Open Office 4.1.1 ### Product URLs http://openoffice.apache.org ### Details In the attached sample an out of bounds occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in a delete of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be followed at line 229 with an out-of-bounds write, writing a new pointer which is gotten by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx: ``` void PolyPolygon::Replace( const Polygon& rPoly, saluInt16 nPos ) { DBGCHKTHIS( PolyPolygon, NULL ); DBG_ASSERT( nPos < Count(), "PolyPolygon::Replace(): nPos >= nSize" ); if ( mpImplPolyPolygon->mnRefCount > 1 ) { mpImplPolyPolygon->mnRefCount--; mpImplPolyPolygon = new ImplPolyPolygon( *mpImplPolyPolygon ); } delete mpImplPolyPolygon->mpPolyAry[nPos]; mpImplPolyPolygon->mpPolyAry[nPos] = new Polygon( rPoly ); } ``` While there is a check to ensure that npos is smaller than the array size at line 220, it is simple an assert that is only enabled in debug mode. The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189: ``` rIStm >> nNumberOfComplexPolygons; for ( i = 0; i < nNumberOfComplexPolygons; i++ ) { rIStm >> nIndex; Polygon aPoly; aPoly.Read( rIStm ); maPolyPoly.Replace( aPoly, nIndex ); } ``` Here is the call stack when the problem occurs: ``` 00afe04c 68c2109f tl!Polygon::~Polygon+0x48 [d:\aoo\main\tools\source\generic\poly.cxx @ 667] 00afe058 68c2cb8b tl!Polygon::`scalar deleting destructor'+0xf 00afe0b0 67b3be7e tl!PolyPolygon::Replace+0x10b [d:\aoo\main\tools\source\generic\poly2.cxx @ 228] 00afe0f4 67b374ac vcl!MetaPolyPolygonAction::Read+0xce [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 1193] 00afe3c0 67aee49d vcl!MetaAction::ReadMetaAction+0x144c [d:\aoo\main\vcl\source\gdi\metaact.cxx @ 247] 00afe43c 67b1944d vcl!operator>>+0x19d [d:\aoo\main\vcl\source\gdi\gdimtf.cxx @ 2918] 00afe804 67afc9fb vcl!operator>>+0x4ad [d:\aoo\main\vcl\source\gdi\impgraph.cxx @ 1826] 00afe814 66e97234 vcl!operator>>+0x1b [d:\aoo\main\vcl\source\gdi\graph.cxx @ 818] 00afebcc 665dde56 svt!GraphicFilter::ImportGraphic+0x9b4 [d:\aoo\main\svtools\source\filter\filter.cxx @ 1637] 00afecb4 665dd95f svxcore!SdrGrafObj::ImpSwapHdl+0x4e6 [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1557] 00afecc0 68bceb64 svxcore!SdrGrafObj::LinkStubImpSwapHdl+0xf [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 1481] 00afecd8 66ef08f8 tl!Link::Call+0x24 [d:\aoo\main\solver\411\wntmsci12\inc\tools\link.hxx @ 135] 00afecec 66eef8aa svt!GraphicObject::GetSwapStream+0x28 [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 480] 00afed44 66ef105f svt!GraphicObject::ImplAutoSwapIn+0xca [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 264] 00afed50 665da3fa svt!GraphicObject::FireSwapInRequest+0xf [d:\aoo\main\svtools\source\graphic\grfmgr.cxx @ 598] 00afed80 664b6b70 svxcore!SdrGrafObj::ForceSwapIn+0x10a [d:\aoo\main\svx\source\svdraw\svdograf.cxx @ 706] 00afed94 664b67e2 svxcore!sdr::contact::ViewObjectContactOfGraphic::doAsynchGraphicLoading+0x50 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 218] 00afeda0 664c0449 svxcore!sdr::event::AsynchGraphicLoadingEvent::ExecuteEvent+0x12 [d:\aoo\main\svx\source\sdr\contact\viewobjectcontactofgraphic.cxx @ 72] 00afedbc 664c0688 svxcore!sdr::event::EventHandler::ExecuteEvents+0x29 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 114] 00afedc8 679bc1f1 svxcore!sdr::event::TimerEventHandler::Timeout+0x18 [d:\aoo\main\svx\source\sdr\event\eventhandler.cxx @ 147] 00afedf4 6790c1a8 vcl!Timer::ImplTimerCallbackProc+0xd1 [d:\aoo\main\vcl\source\app\timer.cxx @ 142] 00afee00 6790c0a9 vcl!SalTimer::CallCallback+0x18 [d:\aoo\main\vcl\inc\saltimer.hxx @ 62] 00afee48 67905335 vcl!SalTimerProc+0xe9 [d:\aoo\main\vcl\win\source\app\saltimer.cxx @ 129] 00afee84 67905621 vcl!SalComWndProc+0x275 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 837] 00afeed4 75ddc4e7 vcl!SalComWndProcW+0x61 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 885] 00afef00 75ddc5e7 USER32!InternalCallWinProc+0x23 00afef78 75ddcc19 USER32!UserCallWinProcCheckWow+0x14b 00afefd8 75ddcc70 USER32!DispatchMessageWorker+0x35e 00afefe8 678ec7ed USER32!DispatchMessageW+0xf 00afeff4 67904f35 vcl!ImplDispatchMessage+0xd [d:\aoo\main\vcl\win\source\app\saldata.cxx @ 163] 00aff008 67904e4d vcl!ImplSalDispatchMessage+0x35 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 663] 00aff038 67905050 vcl!ImplSalYield+0x5d [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 683] 00aff060 679ab4ce vcl!WinSalInstance::Yield+0xe0 [d:\aoo\main\vcl\win\source\app\salinst.cxx @ 745] 00aff078 679ab59f vcl!ImplYield+0x8e [d:\aoo\main\vcl\source\app\svapp.cxx @ 477] 00aff088 679ab3f1 vcl!Application::Yield+0xf [d:\aoo\main\vcl\source\app\svapp.cxx @ 510] 00aff098 69b9bade vcl!Application::Execute+0x31 [d:\aoo\main\vcl\source\app\svapp.cxx @ 453] 00aff734 679b9866 sofficeapp!desktop::Desktop::Main+0x2c8e [d:\aoo\main\desktop\source\app\app.cxx @ 2234] 00aff768 679b9a13 vcl!ImplSVMain+0xa6 [d:\aoo\main\vcl\source\app\svmain.cxx @ 197] 00aff774 69be162a vcl!SVMain+0x23 [d:\aoo\main\vcl\source\app\svmain.cxx @ 238] 00aff7dc 01361098 sofficeapp!sofficemain+0xea [d:\aoo\main\desktop\source\app\sofficemain.cxx @ 47] 00aff7e4 01361039 soffice!salmain+0x8 [d:\aoo\main\desktop\source\app\main.c @ 32] 00aff7f0 01361078 soffice!main+0x19 [d:\aoo\main\desktop\source\app\main.c @ 30] 00aff808 0136125c soffice!WinMain+0x28 [d:\aoo\main\desktop\source\app\main.c @ 30] 00aff898 7622ee1c soffice!tmainCRTStartup+0x140 [f:\dd\vctools\crtbld\selfx86\crt\src\crtexe.c @ 578] 00aff8a4 775437eb kernel32!BaseThreadInitThunk+0xe 00aff8e4 775437be ntdll!RtlUserThreadStart+0x70 00aff8fc 00000000 ntdll!_RtlUserThreadStart+0x1b ``` ### Timeline * 2015-10-08 - Initial Vendor Contact * 2016-10-30 - Second Vendor Contact * 2016-01-13 - Vendor review and communication * 2016-07-21 - Patch released |
id | SSV:96692 |
last seen | 2017-11-19 |
modified | 2017-10-16 |
published | 2017-10-16 |
reporter | Root |
title | OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability(CVE-2016-1513) |
Talos
id | TALOS-2016-0051 |
last seen | 2019-05-29 |
published | 2016-07-21 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0051 |
title | OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability |
References
- http://www.openoffice.org/security/cves/CVE-2016-1513.html
- http://www.securityfocus.com/bid/92079
- https://bz.apache.org/ooo/show_bug.cgi?id=127045
- http://www.talosintelligence.com/reports/TALOS-2016-0051/
- http://www.ubuntu.com/usn/USN-3046-1
- https://security.gentoo.org/glsa/201703-01
- http://www.securitytracker.com/id/1036443