Vulnerabilities > CVE-2017-14226 - Out-of-bounds Read vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2931-1.NASL description This update for libwpd fixes the following issues: Security issue fixed : - CVE-2017-14226: WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application. (bnc#1058025) Bugfixes : - Fix various crashes, leaks and hangs when reading damaged files found by oss-fuzz. - Fix crash when NULL is passed as input stream. - Use symbol visibility on Linux. The library only exports public functions now. - Avoid infinite loop. (libwpd#3) - Remove bashism. (libwpd#5) - Fix various crashes and hangs when reading broken files found with the help of american-fuzzy-lop. - Make --help output of all command line tools more help2man-friendly. - Miscellaneous fixes and cleanups. - Generate manpages for the libwpd-tools Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104427 published 2017-11-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104427 title SUSE SLED12 Security Update : libwpd (SUSE-SU-2017:2931-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-5128C8CFE2.NASL description new upstream release ---- - heap overflow in libwpd Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105876 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105876 title Fedora 27 : libwpd (2017-5128c8cfe2) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1274.NASL description According to the version of the libwpd package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application.(CVE-2017-14226) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-11-02 plugin id 104327 published 2017-11-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104327 title EulerOS 2.0 SP1 : libwpd (EulerOS-SA-2017-1274) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1247.NASL description This update for libwpd fixes the following issues : Security issue fixed : - CVE-2017-14226: WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application. (bnc#1058025) Bugfixes : - Fix various crashes, leaks and hangs when reading damaged files found by oss-fuzz. - Fix crash when NULL is passed as input stream. - Use symbol visibility on Linux. The library only exports public functions now. - Avoid infinite loop. (libwpd#3) - Remove bashism. (libwpd#5) - Fix various crashes and hangs when reading broken files found with the help of american-fuzzy-lop. - Make --help output of all command line tools more help2man-friendly. - Miscellaneous fixes and cleanups. - Generate manpages for the libwpd-tools This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-11-07 plugin id 104422 published 2017-11-07 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104422 title openSUSE Security Update : libwpd (openSUSE-2017-1247) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1275.NASL description According to the version of the libwpd package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application.(CVE-2017-14226) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-11-02 plugin id 104328 published 2017-11-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104328 title EulerOS 2.0 SP2 : libwpd (EulerOS-SA-2017-1275) NASL family Fedora Local Security Checks NASL id FEDORA_2017-63FF51C0DC.NASL description new upstream release ---- - heap overflow in libwpd Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-20 plugin id 103335 published 2017-09-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103335 title Fedora 26 : libwpd (2017-63ff51c0dc)
References
- https://bugs.documentfoundation.org/show_bug.cgi?id=112269
- https://bugs.documentfoundation.org/show_bug.cgi?id=112269
- https://bugzilla.redhat.com/show_bug.cgi?id=1489337
- https://bugzilla.redhat.com/show_bug.cgi?id=1489337
- https://cgit.freedesktop.org/libreoffice/core/commit/?id=dd89afa6ee8166b69e7a1e86f22616ca8fc122c9
- https://cgit.freedesktop.org/libreoffice/core/commit/?id=dd89afa6ee8166b69e7a1e86f22616ca8fc122c9
- https://sourceforge.net/p/libwpd/code/ci/0329a9c57f9b3b0efa0f09a5235dfd90236803a5/
- https://sourceforge.net/p/libwpd/code/ci/0329a9c57f9b3b0efa0f09a5235dfd90236803a5/
- https://sourceforge.net/p/libwpd/code/ci/f40827b3eae260ce657c67d9fecc855b09dea3c3/
- https://sourceforge.net/p/libwpd/code/ci/f40827b3eae260ce657c67d9fecc855b09dea3c3/
- https://sourceforge.net/p/libwpd/tickets/14/
- https://sourceforge.net/p/libwpd/tickets/14/