Vulnerabilities > CVE-2017-12607 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1214.NASL description Marcin Noga discovered two vulnerabilities in LibreOffice, which could result in the execution of arbitrary code if a malformed PPT or DOC document is opened. For Debian 7 last seen 2020-03-17 modified 2017-12-21 plugin id 105395 published 2017-12-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105395 title Debian DLA-1214-1 : libreoffice security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1214-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105395); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-12607", "CVE-2017-12608"); script_name(english:"Debian DLA-1214-1 : libreoffice security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Marcin Noga discovered two vulnerabilities in LibreOffice, which could result in the execution of arbitrary code if a malformed PPT or DOC document is opened. For Debian 7 'Wheezy', these problems have been fixed in version 1:3.5.4+dfsg2-0+deb7u10. We recommend that you upgrade your libreoffice packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/12/msg00017.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/libreoffice" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:fonts-opensymbol"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-base-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-calc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-dev-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-draw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-emailmerge"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-evolution"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-binfilter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-filter-mobiledev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gcj"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-gtk3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-dz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-en-us"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-om"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-sv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-help-zh-tw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-impress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-java-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-kde"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-af"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-as"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-be"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-bs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-cy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-dz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-en-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ga"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-gu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-he"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-id"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-is"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ka"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ku"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-lv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-mr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ne"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-nso"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-oc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-om"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-or"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pa-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ro"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-rw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-si"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-st"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-sv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-te"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-th"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-tr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-uz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-ve"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-vi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-xh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zh-tw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-l10n-zu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-math"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-mysql-connector"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-officebean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-ogltrans"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-pdfimport"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presentation-minimizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-presenter-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-report-builder-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-bsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-js"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-script-provider-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-sdbc-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-crystal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-galaxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-hicontrast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-oxygen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-style-tango"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-wiki-publisher"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libreoffice-writer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openoffice.org-dtd-officedocument1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-uno"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-uno"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ttf-opensymbol"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"fonts-opensymbol", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-base", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-base-core", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-calc", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-common", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-core", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dbg", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dev", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-dev-doc", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-draw", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-emailmerge", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-evolution", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-filter-binfilter", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-filter-mobiledev", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gcj", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gnome", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gtk", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-gtk3", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ca", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-cs", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-da", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-de", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-dz", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-el", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-en-gb", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-en-us", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-es", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-et", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-eu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-fi", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-fr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-gl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-hi", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-hu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-it", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ja", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-km", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ko", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-nl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-om", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pt", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-pt-br", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-ru", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sk", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-sv", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-cn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-help-zh-tw", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-impress", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-java-common", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-kde", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-af", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ar", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-as", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ast", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-be", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bg", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-br", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-bs", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ca", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cs", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-cy", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-da", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-de", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-dz", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-el", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-gb", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-en-za", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eo", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-es", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-et", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-eu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fa", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fi", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-fr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ga", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-gu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-he", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hi", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-hu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-id", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-in", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-is", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-it", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ja", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ka", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-km", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ko", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ku", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lt", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-lv", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mk", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ml", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-mr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nb", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ne", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-nso", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-oc", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-om", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-or", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pa-in", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-pt-br", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ro", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ru", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-rw", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-si", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sk", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sl", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ss", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-st", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-sv", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ta", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-te", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tg", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-th", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-tr", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ts", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ug", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uk", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-uz", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-ve", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-vi", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-xh", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-za", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-cn", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zh-tw", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-l10n-zu", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-math", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-mysql-connector", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-officebean", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-ogltrans", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-pdfimport", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-presentation-minimizer", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-presenter-console", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-report-builder", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-report-builder-bin", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-bsh", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-js", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-script-provider-python", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-sdbc-postgresql", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-crystal", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-galaxy", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-hicontrast", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-oxygen", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-style-tango", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-wiki-publisher", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"libreoffice-writer", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"openoffice.org-dtd-officedocument1.0", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"python-uno", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"python3-uno", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (deb_check(release:"7.0", prefix:"ttf-opensymbol", reference:"1:3.5.4+dfsg2-0+deb7u10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3472-1.NASL description Marcin Noga discovered that LibreOffice incorrectly handled PPT documents. If a user were tricked into opening a specially crafted PPT document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2017-12607) Marcin Noga discovered that LibreOffice incorrectly handled Word documents. If a user were tricked into opening a specially crafted Word document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. (CVE-2017-12608). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104377 published 2017-11-03 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104377 title Ubuntu 14.04 LTS : libreoffice vulnerabilities (USN-3472-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4022.NASL description Marcin Noga discovered two vulnerabilities in LibreOffice, which could result in the execution of arbitrary code if a malformed PPT or DOC document is opened. last seen 2020-06-01 modified 2020-06-02 plugin id 104465 published 2017-11-09 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104465 title Debian DSA-4022-1 : libreoffice - security update NASL family Windows NASL id OPENOFFICE_414.NASL description The version of Apache OpenOffice installed on the remote host is a version prior to 4.1.4. It is, therefore, affected by multiple Out-of-Bounds vulnerabilities and a file disclosure vulnerability in Calc/Writer. last seen 2020-06-01 modified 2020-06-02 plugin id 104351 published 2017-11-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104351 title Apache OpenOffice < 4.1.4 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_27229C67B8FF11E79F79AC9E174BE3AF.NASL description The Apache Openofffice project reports : CVE-2017-3157: Arbitrary file disclosure in Calc and Writer By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user last seen 2020-06-01 modified 2020-06-02 plugin id 104162 published 2017-10-26 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104162 title FreeBSD : Apache OpenOffice -- multiple vulnerabilities (27229c67-b8ff-11e7-9f79-ac9e174be3af)
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable out of bound write vulnerability exists in the PPTStyleSheet::PPTStyleSheet functionality of Apache OpenOffice. A specially crafted PPT file can cause an out of bound write resulting in arbitrary code execution. An attacker can send/provide a malicious PPT file to trigger this vulnerability. ### Tested Versions Apache OpenOffice 4.1.3 x64 Apache OpenOffice 4.1.3 x86 ### Product URLs http://www.openoffice.org/ ### CVSSv3 Score 8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details This vulnerability is present in the Apache OpenOffice (formerly OpenOffice.org) a free open source office suite. A specially crafted PPT file can lead to an out of bound write and ultimately to remote code execution. Let's investigate this vulnerability. After opening Impress with the malformed PPT file we see following state: ``` gdb-peda$ context [----------------------------------registers-----------------------------------] RAX: 0xb70 ('p\x0b') RBX: 0x28a RCX: 0x7fffc2ef0fdc --> 0x800000000010000 RDX: 0x7fffc2a4fd88 --> 0x64000020220000 ('') RSI: 0x7fffc2a45170 --> 0x0 RDI: 0x7fffc2ef0ff0 --> 0x800000000010000 RBP: 0x28a RSP: 0x7fffffffa7b0 --> 0x1 RIP: 0x7fffc2571dfc (mov WORD PTR [rdi+0x10],ax) R8 : 0x5140 ('@Q') R9 : 0x0 R10: 0x7fffc2a4f9c8 --> 0x7ffff09eca80 --> 0x7ffff07bfa64 (<_ZN16SotStorageStream7GetDataEPvm>: push rbp) R11: 0xc8 R12: 0x0 R13: 0x28a R14: 0x7fffc2a3f148 --> 0x7fffc2a77848 --> 0x7fffc2a413e8 --> 0x7b ('{') R15: 0x7fffc2a4f9c8 --> 0x7ffff09eca80 --> 0x7ffff07bfa64 (<_ZN16SotStorageStream7GetDataEPvm>: push rbp) EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7fffc2571df0: mov rax,QWORD PTR [rcx+0x8] 0x7fffc2571df4: mov QWORD PTR [rdi+0x8],rax 0x7fffc2571df8: movzx eax,WORD PTR [rcx+0x10] => 0x7fffc2571dfc: mov WORD PTR [rdi+0x10],ax 0x7fffc2571e00: mov rax,QWORD PTR [rsp+0x28] 0x7fffc2571e05: movzx r12d,r9b 0x7fffc2571e09: mov r8d,ebx 0x7fffc2571e0c: mov r9d,r12d [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa7b0 --> 0x1 0008| 0x7fffffffa7b8 --> 0x966f08 --> 0x7ffff7ffe480 --> 0x6db1b0 --> 0x7ffff7ffe1c8 --> 0x0 0016| 0x7fffffffa7c0 --> 0x7fffffffb160 --> 0x1 0024| 0x7fffffffa7c8 --> 0x7ffff7ed8808 --> 0x7fffc27ab310 --> 0x7fffc25730b0 (<_ZNK19SdrPowerPointImport9ImportOLEElRK7GraphicRK9RectangleS5_il>: push r15) 0032| 0x7fffffffa7d0 --> 0x7fffffffb0b0 --> 0xfc9000f0000b10f 0040| 0x7fffffffa7d8 --> 0x7fffc2a45170 --> 0x0 0048| 0x7fffffffa7e0 --> 0x7ffff7ed9000 --> 0x10000000b 0056| 0x7fffffffa7e8 --> 0x3e8a00000000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV gdb-peda$ bt #0 0x00007fffc2571dfc in ?? () from /opt/openoffice4/program/libmsfilter.so #1 0x00007fffc2577c4d in SdrPowerPointImport::SdrPowerPointImport(PowerPointImportParam&, String const&) () from /opt/ openoffice4/program/ libmsfilter.so #2 0x00007fffc27c702e in ?? () from /opt/openoffice4/program/libsdfilt.so #3 0x00007fffc27c74e9 in ?? () from /opt/openoffice4/program/libsdfilt.so #4 0x00007fffc27ceafb in ImportPPT () from /opt/openoffice4/program/libsdfilt.so #5 0x00007fffc326c4c8 in ?? () from /opt/openoffice4/program/../program/libsd.so #6 0x00007fffc318884d in sd::DrawDocShell::ConvertFrom(SfxMedium&) () from /opt/openoffice4/program/../program/libsd.so #7 0x00007ffff4ccc02f in SfxObjectShell::DoLoad(SfxMedium*) () from /opt/openoffice4/program/libsfx.so #8 0x00007ffff4cf2202 in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/ openoffice4/program/libsfx.so #9 0x00007ffff4d47093 in ?? () from /opt/openoffice4/program/libsfx.so #10 0x00007fffee2a6750 in ?? () from /opt/openoffice4/program/libfwk.so #11 0x00007fffee2a707e in ?? () from /opt/openoffice4/program/libfwk.so #12 0x00007fffee2619a0 in ?? () from /opt/openoffice4/program/libfwk.so #13 0x00007fffee261c0e in ?? () from /opt/openoffice4/program/libfwk.so #14 0x00007ffff5d38868 in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/ openoffice4/program/libcomphelpgcc3.so #15 0x00007ffff77971a3 in ?? () from /opt/openoffice4/program/libsofficeapp.so #16 0x00007ffff77a33a6 in ?? () from /opt/openoffice4/program/libsofficeapp.so #17 0x00007ffff77831f0 in ?? () from /opt/openoffice4/program/libsofficeapp.so #18 0x00007ffff7784d0a in ?? () from /opt/openoffice4/program/libsofficeapp.so #19 0x00007ffff2ec6ab3 in ?? () from /opt/openoffice4/program/libvcl.so #20 0x00007fffea8f9b27 in SalDisplay::DispatchInternalEvent() () from /opt/openoffice4/program/libvclplug_gen.so #21 0x00007fffeabb63b4 in ?? () from /opt/openoffice4/program/libvclplug_gtk.so #22 0x00007fffe9aed175 in g_main_dispatch (context=0x65ea80) at gmain.c:3154 #23 g_main_context_dispatch (context=context@entry=0x65ea80) at gmain.c:3769 #24 0x00007fffe9aed4e8 in g_main_context_iterate (context=context@entry=0x65ea80, block=block@entry=0x0, dispatch=dispatch@entry=0x1, self=<optimized out>) at gmain.c:3840 #25 0x00007fffe9aed58c in g_main_context_iteration (context=0x65ea80, may_block=0x0) at gmain.c:3901 #26 0x00007fffeabb61f0 in ?? () from /opt/openoffice4/program/libvclplug_gtk.so #27 0x00007ffff2caa45f in ?? () from /opt/openoffice4/program/libvcl.so #28 0x00007ffff2ca9667 in Application::Execute() () from /opt/openoffice4/program/libvcl.so #29 0x00007ffff777e93e in ?? () from /opt/openoffice4/program/libsofficeapp.so #30 0x00007ffff2cad7eb in ?? () from /opt/openoffice4/program/libvcl.so #31 0x00007ffff2cad8b6 in SVMain() () from /opt/openoffice4/program/libvcl.so #32 0x00007ffff77a5f8c in soffice_main () from /opt/openoffice4/program/libsofficeapp.so #33 0x0000000000400f7b in main () #34 0x00007ffff6646f45 in __libc_start_main (main=0x400f70 <main>, argc=0x6, argv=0x7fffffffdf18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf08) at libc-start.c:287 #35 0x0000000000400eb9 in _start () let's check the write address `rdi+0x10`: gdb-peda$ vmmap $rdi+0x10 Start End Perm Name 0x00007fffc2ef1000 0x00007fffc3568000 r-xp /opt/openoffice4/program/libsd.so ``` As we can see an attempt to write is made in an address range of the mapped file libsd.so, which results in an access violation because of the pages that contain this mapped file are set to read and execute permissions, but not write. To understand why this vulnerability appears, we will look at the vulnerable function in the source code: ``` filter\source\msfilter\svdfppt.cxx : 4343 PPTStyleSheet::PPTStyleSheet( const DffRecordHeader& rSlideHd, SvStream& rIn, SdrPowerPointImport& rManager, const PPTTextCharacterStyleAtomInterpreter& / *rTxCFStyle*/, const PPTTextParagraphStyleAtomInterpreter& rTxPFStyle, const PPTTextSpecInfo& rTextSpecInfo ) : Line 4373 DffRecordHeader* pEnvHeader = rManager.aDocRecManager.GetRecordHeader( PPT_PST_Environment ); Line 4374 if ( pEnvHeader ) Line 4375 { Line 4376 pEnvHeader->SeekToContent( rIn ); Line 4377 DffRecordHeader aTxMasterStyleHd; Line 4378 while ( rIn.Tell() < pEnvHeader->GetRecEndFilePos() ) Line 4379 { Line 4380 rIn >> aTxMasterStyleHd; Line 4381 if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom ) Line 4382 { Line 4383 sal_uInt16 nLevelAnz; Line 4384 rIn >> nLevelAnz; Line 4385 Line 4386 sal_uInt16 nLev = 0; Line 4387 sal_Bool bFirst = sal_True; Line 4388 bFoundTxMasterStyleAtom04 = sal_True; Line 4389 while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz ) Line 4390 { Line 4391 if ( nLev ) Line 4392 { Line 4393 mpParaSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->maParaLevel[ nLev ] = mpParaSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->maParaLevel[ nLev - 1 ]; Line 4394 mpCharSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->maCharLevel[ nLev ] = mpCharSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->maCharLevel[ nLev - 1 ]; Line 4395 } Line 4396 mpParaSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->Read( rManager, rIn, sal_True, nLev, bFirst ); (...) Line 4412 mpCharSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->Read( rIn, sal_True, nLev, bFirst ); Line 4413 mpParaSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->UpdateBulletRelSize( nLev, mpCharSheet[ TSS_TYPE_TEXT_IN_SHAPE ]->maCharLevel[ nLev ].mnFontHeight ); Line 4414 bFirst = sal_False; Line 4415 nLev++; (...) Line 4418 } Line 4419 else Line 4420 aTxMasterStyleHd.SeekToEndOfRecord( rIn ); ``` First of all code in the while loop at `Line 4378` searches for a PPTPSTTxMasterStyleAtom record ( [MS-PPT] 2.9.35 TextMasterStyleAtom ). It finds it in the file at offset `0x957c`. ``` (gdb) p aTxMasterStyleHd $8 = {nRecVer = 0 '\000', nRecInstance = 4, nImpVerInst = 64, nRecType = 4003, nRecLen = 4294901870, nFilePos = 380} ``` Next, we see that `nLevelAnz` is read at `line 4384`. According to documentation: ``` cLevels (2 bytes): An unsigned integer that specifies the number of style levels. It MUST be less than or equal to 0x0005. ``` but in our case its value is equal: ``` (gdb) n 4384 rIn >> nLevelAnz; (gdb) p nLevelAnz $9 = 65535 (0xffff) We also see the following: PPTParaLevel maParaLevel[ 5 ]; and PPTCharLevel maCharLevel[ 5 ]; ``` The lack of enforcement of the constraint that `nLevelAnz` must be less than 5 results in the vulnerability. The variables `maParaLevel` and `maCharLevel` are written to at lines `4393-4394`. Our invalid value will cause `nLev` to be bigger than 4 in the loop, which will result in an out of bound write. This can then lead to arbitrary code execution. ### Crash Information ``` gdb-peda$ context [----------------------------------registers-----------------------------------] RAX: 0xb70 ('p\x0b') RBX: 0x28a RCX: 0x7fffc2ef0fdc --> 0x800000000010000 RDX: 0x7fffc2a4fd88 --> 0x64000020220000 ('') RSI: 0x7fffc2a45170 --> 0x0 RDI: 0x7fffc2ef0ff0 --> 0x800000000010000 RBP: 0x28a RSP: 0x7fffffffa7b0 --> 0x1 RIP: 0x7fffc2571dfc (mov WORD PTR [rdi+0x10],ax) R8 : 0x5140 ('@Q') R9 : 0x0 R10: 0x7fffc2a4f9c8 --> 0x7ffff09eca80 --> 0x7ffff07bfa64 (<_ZN16SotStorageStream7GetDataEPvm>: push rbp) R11: 0xc8 R12: 0x0 R13: 0x28a R14: 0x7fffc2a3f148 --> 0x7fffc2a77848 --> 0x7fffc2a413e8 --> 0x7b ('{') R15: 0x7fffc2a4f9c8 --> 0x7ffff09eca80 --> 0x7ffff07bfa64 (<_ZN16SotStorageStream7GetDataEPvm>: push rbp) EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7fffc2571df0: mov rax,QWORD PTR [rcx+0x8] 0x7fffc2571df4: mov QWORD PTR [rdi+0x8],rax 0x7fffc2571df8: movzx eax,WORD PTR [rcx+0x10] => 0x7fffc2571dfc: mov WORD PTR [rdi+0x10],ax 0x7fffc2571e00: mov rax,QWORD PTR [rsp+0x28] 0x7fffc2571e05: movzx r12d,r9b 0x7fffc2571e09: mov r8d,ebx 0x7fffc2571e0c: mov r9d,r12d [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa7b0 --> 0x1 0008| 0x7fffffffa7b8 --> 0x966f08 --> 0x7ffff7ffe480 --> 0x6db1b0 --> 0x7ffff7ffe1c8 --> 0x0 0016| 0x7fffffffa7c0 --> 0x7fffffffb160 --> 0x1 0024| 0x7fffffffa7c8 --> 0x7ffff7ed8808 --> 0x7fffc27ab310 --> 0x7fffc25730b0 (<_ZNK19SdrPowerPointImport9ImportOLEElRK7GraphicRK9RectangleS5_il>: push r15) 0032| 0x7fffffffa7d0 --> 0x7fffffffb0b0 --> 0xfc9000f0000b10f 0040| 0x7fffffffa7d8 --> 0x7fffc2a45170 --> 0x0 0048| 0x7fffffffa7e0 --> 0x7ffff7ed9000 --> 0x10000000b 0056| 0x7fffffffa7e8 --> 0x3e8a00000000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV gdb-peda$ bt #0 0x00007fffc2571dfc in ?? () from /opt/openoffice4/program/libmsfilter.so #1 0x00007fffc2577c4d in SdrPowerPointImport::SdrPowerPointImport(PowerPointImportParam&, String const&) () from /opt/ openoffice4/program/libmsfilter.so #2 0x00007fffc27c702e in ?? () from /opt/openoffice4/program/libsdfilt.so #3 0x00007fffc27c74e9 in ?? () from /opt/openoffice4/program/libsdfilt.so #4 0x00007fffc27ceafb in ImportPPT () from /opt/openoffice4/program/libsdfilt.so #5 0x00007fffc326c4c8 in ?? () from /opt/openoffice4/program/../program/libsd.so #6 0x00007fffc318884d in sd::DrawDocShell::ConvertFrom(SfxMedium&) () from /opt/openoffice4/program/../program/libsd.so #7 0x00007ffff4ccc02f in SfxObjectShell::DoLoad(SfxMedium*) () from /opt/openoffice4/program/libsfx.so #8 0x00007ffff4cf2202 in SfxBaseModel::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/openoffice4/program/libsfx.so #9 0x00007ffff4d47093 in ?? () from /opt/openoffice4/program/libsfx.so #10 0x00007fffee2a6750 in ?? () from /opt/openoffice4/program/libfwk.so #11 0x00007fffee2a707e in ?? () from /opt/openoffice4/program/libfwk.so #12 0x00007fffee2619a0 in ?? () from /opt/openoffice4/program/libfwk.so #13 0x00007fffee261c0e in ?? () from /opt/openoffice4/program/libfwk.so #14 0x00007ffff5d38868 in comphelper::SynchronousDispatch::dispatch(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) () from /opt/openoffice4/program/ libcomphelpgcc3.so #15 0x00007ffff77971a3 in ?? () from /opt/openoffice4/program/libsofficeapp.so #16 0x00007ffff77a33a6 in ?? () from /opt/openoffice4/program/libsofficeapp.so #17 0x00007ffff77831f0 in ?? () from /opt/openoffice4/program/libsofficeapp.so #18 0x00007ffff7784d0a in ?? () from /opt/openoffice4/program/libsofficeapp.so #19 0x00007ffff2ec6ab3 in ?? () from /opt/openoffice4/program/libvcl.so #20 0x00007fffea8f9b27 in SalDisplay::DispatchInternalEvent() () from /opt/openoffice4/program/libvclplug_gen.so #21 0x00007fffeabb63b4 in ?? () from /opt/openoffice4/program/libvclplug_gtk.so #22 0x00007fffe9aed175 in g_main_dispatch (context=0x65ea80) at gmain.c:3154 #23 g_main_context_dispatch (context=context@entry=0x65ea80) at gmain.c:3769 #24 0x00007fffe9aed4e8 in g_main_context_iterate (context=context@entry=0x65ea80, block=block@entry=0x0, dispatch=dispatch@entry=0x1, self=<optimized out>) at gmain.c:3840 #25 0x00007fffe9aed58c in g_main_context_iteration (context=0x65ea80, may_block=0x0) at gmain.c:3901 #26 0x00007fffeabb61f0 in ?? () from /opt/openoffice4/program/libvclplug_gtk.so #27 0x00007ffff2caa45f in ?? () from /opt/openoffice4/program/libvcl.so #28 0x00007ffff2ca9667 in Application::Execute() () from /opt/openoffice4/program/libvcl.so #29 0x00007ffff777e93e in ?? () from /opt/openoffice4/program/libsofficeapp.so #30 0x00007ffff2cad7eb in ?? () from /opt/openoffice4/program/libvcl.so #31 0x00007ffff2cad8b6 in SVMain() () from /opt/openoffice4/program/libvcl.so #32 0x00007ffff77a5f8c in soffice_main () from /opt/openoffice4/program/libsofficeapp.so #33 0x0000000000400f7b in main () #34 0x00007ffff6646f45 in __libc_start_main (main=0x400f70 <main>, argc=0x6, argv=0x7fffffffdf18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf08) at libc-start.c:287 #35 0x0000000000400eb9 in _start () gdb-peda$ exploitable Description: Access violation on destination operand Short description: DestAv (9/29) Hash: 0bbf6be05d7aaa5fd446172b8afe89c9.4e7dfbc3f1e3222a4c595e370f909d8b Exploitability Classification: EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. Other tags: AccessViolation (28/29) ``` ### Timeline * 2017-03-29 - Vendor Disclosure * 2017-10-26 - Public Release |
id | SSV:96799 |
last seen | 2017-11-19 |
modified | 2017-11-06 |
published | 2017-11-06 |
reporter | Root |
title | Apache OpenOffice PPT PPTStyleSheet nLevel Code Execution Vulnerability(CVE-2017-12607) |
Talos
id | TALOS-2017-0300 |
last seen | 2019-05-29 |
published | 2017-10-26 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0300 |
title | Apache OpenOffice PPT PPTStyleSheet nLevel Code Execution Vulnerability |