Apache OpenOffice 4.1.4 - fixes CVE-2017-3157 CVE-2017-9806 CVE-2017-12607 CVE-2017-12608

[Andrea Pescetti <pescetti () apache org>]

(I'm not subscribed to the list, so please CC me when replying, thanks)

Apache OpenOffice 4.1.5 was released on 30 Dec 2017.

- No security vulnerabilities fixed in this release; listed here just to 
avoid confusion.

Apache OpenOffice 4.1.4 was released on 19 Oct 2017.

- This release contained 4 security fixes that had not been reported to 
this list at release time; they are listed below.


## 1. CVE-2017-3157: Arbitrary file disclosure in Calc and Writer

By exploiting the way OpenOffice renders embedded objects, an attacker 
could craft a document that allows reading in a file from the user's 
filesystem. Information could be retrieved by the attacker by, e.g., 
using hidden sections to store the information, tricking the user into 
saving the document and convincing the user to send the document back to 
the attacker.

The vulnerability is mitigated by the need for the attacker to know the 
precise file path in the target system, and the need to trick the user 
into saving the document and sending it back.

Thanks to Ben Hayak for reporting this issue.


## 2. CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor

A vulnerability in the OpenOffice Writer DOC file parser, and 
specifically in the WW8Fonts Constructor, allows attackers to craft 
malicious documents that cause denial of service (memory corruption and 
application crash) potentially resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


## 3. CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter

A vulnerability in OpenOffice's PPT file parser, and specifically in 
PPTStyleSheet, allows attackers to craft malicious documents that cause 
denial of service (memory corruption and application crash) potentially 
resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


## 4. CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles

A vulnerability in OpenOffice Writer DOC file parser, and specifically 
in ImportOldFormatStyles, allows attackers to craft malicious documents 
that cause denial of service (memory corruption and application crash) 
potentially resulting in arbitrary code execution.

Thanks to Marcin 'Icewall' Noga of Cisco Talos for discovering this issue.


See https://www.openoffice.org/security/bulletin.html for more information.

Posted by Andrea Pescetti on behalf of the Apache OpenOffice Security Team