content/security/cves/CVE-2015-5212.html - openoffice-org - Git at Google


 <!DOCTYPE html>
 <html>
     <head>
         <title>CVE-2015-5212</title>
         <style type="text/css"></style>
     </head>

     <body>
     <!-- These were previously defined as XHTML pages.  The current
          wrapping for the site introduces HTML5 headers and formats.
          This version is modified to match the wrapping that is done as part
          of publishing this page and not rely on any particular styling
          beyond <p>.
          -->
         <p>
             <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5212">CVE-2015-5212</a>
         </p>
         <p>
             <a href="https://www.openoffice.org/security/cves/CVE-2015-5212.html">Apache OpenOffice Advisory</a>
         </p>

         <p style="text-align:center; font-size:largest"><strong>CVE-2015-5212:
         ODF PRINTER SETTINGS VULNERABILITY</strong></p>

         <p style="text-align:center; font-size:larger"><strong>Fixed in Apache OpenOffice 4.1.2</strong></p>


         <p>
             <strong>Version 1.0</strong>
             <br />
             Announced November 4, 2015</p>

         <p>
         A crafted ODF document can be used to create a buffer that is
         too small for the amount of data loaded into it, allowing an
         attacker to cause denial of service (memory corruption and
         application crash) and possible execution of arbitrary code.
         </p>

         <p>
             <strong>Severity: Important</strong>
         </p>
         <p>There are no known exploits of this vulnerabilty.<br />
            A proof-of-concept demonstration exists.</p>
         <p>
             <strong>Vendor: The Apache Software Foundation</strong>
         </p>

         <p>
             <strong>Versions Affected</strong></p>

         <p>All Apache OpenOffice versions 4.1.1 and older are affected.<br />
             OpenOffice.org versions are also affected.</p>

         <p>
             <strong>Mitigation</strong>
         </p>
         <p>Apache OpenOffice users are urged to download and install
         Apache OpenOffice version 4.1.2 or later.  Use of in-document
         control of printer settings is disabled in 4.1.2.</p>
         <p>

         </p>
         <p>
             <strong>Precautions</strong>
         </p>
         <p>
       Users who do not upgrade to Apache OpenOffice 4.1.2
     can disable the vulnerability directly by declining to use printer
     settings provided as part of ODF Documents:</p>

      <ol><li>In Apache OpenOffice, select the Tools menu Options entry.</li>
      <li>On the Options Load/Save item's General sub-item, remove any
         check for "Load printer settings with the document".</li>
      <li>Click "OK".</li>
      <li>This setting will apply to all documents loaded thereafter.</li>
         </ol>


         <p>
             <strong>Further Information</strong>
         </p>
         <p>For additional information and assistance, consult the
            <a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a>
            or make requests to the
            <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>
            public mailing list.
         </p>
         <p>The latest information on Apache OpenOffice security bulletins
         can be found at the <a href="https://www.openoffice.org/security/bulletin.html">Bulletin
         Archive page</a>.</p>

         <p><strong>Credits</strong></p>
         <p>
         The discoverer of this vulnerability wishes to remain anonymous.<br >
         Apache OpenOffice security team thanks Caolán McNamara of Red Hat for
         analysis and a repair solution.
     </p>

         <hr />

         <p>
             <a href="http://security.openoffice.org">Security Home</a>
     -&gt; <a href="http://security.openoffice.org/security/bulletin.html">Bulletin</a>
     -&gt; <a href="https://www.openoffice.org/security/cves/CVE-2015-5212.html">CVE-2015-5212</a>
         </p>
     </body>
 </html>

	<!DOCTYPE html>
	<html>
	<head>
	<title>CVE-2015-5212</title>
	<style type="text/css"></style>
	</head>

	<body>
	<!-- These were previously defined as XHTML pages. The current
	wrapping for the site introduces HTML5 headers and formats.
	This version is modified to match the wrapping that is done as part
	of publishing this page and not rely on any particular styling
	beyond <p>.
	-->
	<p>
	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5212">CVE-2015-5212</a>
	</p>
	<p>
	<a href="https://www.openoffice.org/security/cves/CVE-2015-5212.html">Apache OpenOffice Advisory</a>
	</p>

	<p style="text-align:center; font-size:largest"><strong>CVE-2015-5212:
	ODF PRINTER SETTINGS VULNERABILITY</strong></p>

	<p style="text-align:center; font-size:larger"><strong>Fixed in Apache OpenOffice 4.1.2</strong></p>


	<p>
	<strong>Version 1.0</strong>
	<br />
	Announced November 4, 2015</p>

	<p>
	A crafted ODF document can be used to create a buffer that is
	too small for the amount of data loaded into it, allowing an
	attacker to cause denial of service (memory corruption and
	application crash) and possible execution of arbitrary code.
	</p>

	<p>
	<strong>Severity: Important</strong>
	</p>
	<p>There are no known exploits of this vulnerabilty.<br />
	A proof-of-concept demonstration exists.</p>
	<p>
	<strong>Vendor: The Apache Software Foundation</strong>
	</p>

	<p>
	<strong>Versions Affected</strong></p>

	<p>All Apache OpenOffice versions 4.1.1 and older are affected.<br />
	OpenOffice.org versions are also affected.</p>

	<p>
	<strong>Mitigation</strong>
	</p>
	<p>Apache OpenOffice users are urged to download and install
	Apache OpenOffice version 4.1.2 or later. Use of in-document
	control of printer settings is disabled in 4.1.2.</p>
	<p>

	</p>
	<p>
	<strong>Precautions</strong>
	</p>
	<p>
	Users who do not upgrade to Apache OpenOffice 4.1.2
	can disable the vulnerability directly by declining to use printer
	settings provided as part of ODF Documents:</p>

	<ol><li>In Apache OpenOffice, select the Tools menu Options entry.</li>
	<li>On the Options Load/Save item's General sub-item, remove any
	check for "Load printer settings with the document".</li>
	<li>Click "OK".</li>
	<li>This setting will apply to all documents loaded thereafter.</li>
	</ol>


	<p>
	<strong>Further Information</strong>
	</p>
	<p>For additional information and assistance, consult the
	<a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a>
	or make requests to the
	<a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>
	public mailing list.
	</p>
	<p>The latest information on Apache OpenOffice security bulletins
	can be found at the <a href="https://www.openoffice.org/security/bulletin.html">Bulletin
	Archive page</a>.</p>

	<p><strong>Credits</strong></p>
	<p>
	The discoverer of this vulnerability wishes to remain anonymous.<br >
	Apache OpenOffice security team thanks Caolán McNamara of Red Hat for
	analysis and a repair solution.
	</p>

	<hr />

	<p>
	<a href="http://security.openoffice.org">Security Home</a>
	-> <a href="http://security.openoffice.org/security/bulletin.html">Bulletin</a>
	-> <a href="https://www.openoffice.org/security/cves/CVE-2015-5212.html">CVE-2015-5212</a>
	</p>
	</body>
	</html>