security CVE 2014-3575

Thanks for taking your time to report this issue and help making Ubuntu better.

I searched the Ubuntu CVE tracker, and it claims that this issue does not apply to Ubuntu (http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3575.html). I am not familiar with this issue though, so it would be nice if we could get a comment from someone who are.

Dear Hans,
I have to apologize myself for the late answer,
I was quite busy at School.
Anyway, I have not the skills to reproduce the bug,
neither I have found any documentation about how to reproduce it.

I simply noticed the following announced updates:

   1. fedora on 11/9/2014 pushed an update fedora libreoffice update
   against 4.2.6

   <https://admin.fedoraproject.org/updates/FEDORA-2014-10732/libreoffice-4.2.6.3-3.fc20?_csrf_token=64d5a5974814b08b5ab603be5c3c633bdc612ee7>
   2. opensuse on 15/9/2014 pushed an update opensuse libreoffice update
   <http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00018.html>

   3. upstream libreoffice webpage
   <https://www.libreoffice.org/about-us/security/advisories/cve-2014-3575/>

they all speak as the vulnerability is against libreoffice earlier than
4.2.5 and linux
*any*
This is the best evidence I can produce.

I hope this mail to have been usefull,
and forgive my bad english :).
Best regards
Tiziano

2014-10-18 15:59 GMT+02:00 Hans Joachim Desserud <<email address hidden>
>:

> Thanks for taking your time to report this issue and help making Ubuntu
> better.
>
> I searched the Ubuntu CVE tracker, and it claims that this issue does
> not apply to Ubuntu (http://people.canonical.com/~ubuntu-
> security/cve/2014/CVE-2014-3575.html). I am not familiar with this issue
> though, so it would be nice if we could get a comment from someone who
> are.
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2014-3575
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1380711
>
> Title:
> security CVE 2014-3575
>
> Status in "libreoffice" package in Ubuntu:
> New
>
> Bug description:
> dear mantainers, as you can see here
> http://www.securitytracker.com/id/1030804, libreoffice earlier than
> 4.2.6 secfix1 is vulnerable, as apache openoffice earlier than 4.1.1
> to CVE 2014-3575, if i understan correctly the report.
>
> thank's for you work.
> best regards
> Tiziano Casavecchia
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1380711/+subscriptions
>

Thanks for the links. Indeed, Fedora and OpenSuse has patched this.

I've subscribed the Ubuntu Security Team, so that someone there can take a look at this issue and decide whether it should be done for Ubuntu too.

This bug was fixed in the package libreoffice - 1:3.5.7-0ubuntu7

---------------
libreoffice (1:3.5.7-0ubuntu7) precise-security; urgency=medium

  * SECURITY UPDATE: fix OLE objects (LP: #1380711)
    - CVE-2014-3575
  * disable external mozilla header to fix FTBFS
 -- Bjoern Michaelsen <email address hidden> Wed, 22 Oct 2014 16:11:30 +0200

Note that trusty already had been updated to 4.2.6~rc3 (aka 4.2.6.3 aka 4.2.6-secfix) thus already was fixed. Utopic and Vivid had versions higher than 4.3.1 at release and thus were never vulnerable.