05 Oct 2011

The Document Foundation publishes details of LibreOffice 3.4.3 security fixes

Posted in Announcements, Technology By Italo Vignoli On October 5, 2011

The Internet, October 4, 2011 – The Document Foundation (TDF) publishes some details of the security fixes included with the recently released LibreOffice 3.4.3, and included in the older 3.3.4 version. Following industry best practice, details of security fixes are withheld until users have been given time to migrate to the new version.

RedHat security researcher Huzaifa Sidhpurwala identified a memory corruption vulnerability in the code responsible for loading Microsoft Word documents in LibreOffice. This flaw could have been used for nefarious purposes, such as installing viruses, through a specially-crafted file. The corresponding vulnerability description is CVE-2011-2713,”Out-of-bounds property read in binary .doc filter”.

LibreOffice 3.4.3 also includes various improvements to the loading of Windows Metafile (.wmf) and Windows Enhanced Metafile (.emf) image formats that were found through fuzz testing.

LibreOffice developers have developed some additional security patches and fixes. These are part of a general set of development improvements which are reflected in the overall quality and stability of the software. Most LibreOffice 3.4.3 security fixes have been developed by Caolan McNamara of RedHat and Marc-André Laverdière of Tata Consultancy Services.

“Working on fuzzing LibreOffice import filters has been a great experience, and I am glad I could contribute in securing the computing experience of millions of users,” said Marc-André Laverdière, Scientist, TCS Innovation Labs, Tata Consultancy Services, Ltd. “Working in cooperation with the TDF development team, we have found and fixed serious security and crasher bugs.”

All users are recommended to upgrade to LibreOffice 3.4.3 as soon as possible, in order to benefit from the improved security of the office suite. LibreOffice 3.4.3 can be downloaded from http://www.libreoffice.org.

Comments

  1. By Jakob Eriksson

    Thank!

  2. By Steffen Schaumburg

    No offence but calling this procedure “industry best practice” is quite a stretch. Expecting people to make a critical security update when you don’t tell them that it’s a critical security update also seems illogical. You should at least point out that an update includes security fixes. Or, if you’re not sure if bugfixes are security-relevant, say it similar to how the kernel does. But apart from these communication issues, keep up the great work!

    • By italovignoli

      Both announcements of LibreOffice 3.4.3 and LibreOffice 3.3.4 mentioned the security fixes, without telling which ones. This is the way announcements are handled in the software industry, since 1987 (when I started handling PC software announcements on behalf of third parties). This is the way security announcements have always been handled inside the OOo project.

  3. By huzaifa

    This is really a out of bounds read and all it can cause is application crash.
    Why is it called “This flaw could have been used for nefarious purposes, such as installing viruses, through a specially-crafted file” ?

    Thanks!

    • By italovignoli

      The text has been written by our security specialists, and reviewed by our developers. I will forward them your question.

    • By Jesús Corrius

      You can find more information in this wikipedia article:

      http://en.wikipedia.org/wiki/Buffer_overflow

      Cheers,

    • By Lee Dowling

      It’s not hard to imagine that at all – anything that deals with, e.g. size of memory structures, number of items to read etc. can potentially overflow and cause a read *OR WRITE* from/to application memory (outside application memory should trigger a page fault). That’s how almost all buffer overflows work to create opportunities to execute native code in vast ranges of exploits used in viruses, etc. Now, a lot of protection is available in terms of DEP, ASLR, etc. but they are by no means infallible (the last is actually nothing more than “let’s juggle important stuff in memory so the exploits have to guess harder about where it is”).

      This is why a lot of exploits “crash” a machine some of the time – an overflow is a reliable, but not perfect, way to start writing data into application memory. If you craft the data right, time the exploit right, and know the software well enough, you *can* cause arbitrary code execution. That said, LibreOffice is partly written in Java, which has it’s own boundaries and protections, but it’s not at all difficult to find viruses and malware that exploit simple over-reads like that (even if the trigger is JUST a read – you can easily cause it to read invalid values if there are insufficient checks and have memory allocations that overlap, which allows you to write further file data into areas it was never meant to get written to, etc. which can cause all sorts of problems) to execute code.

      More importantly – someone *IS* going through, fuzz-testing things and looking for these holes (which are also reported to exist in OpenOffice, so obviously someone *wasn’t* doing the same on OOo code) – it’s not like the MS Word import filter is underused in the real world. The bug is found. The fix is out. People have upgraded and been told to upgrade. That’s 99.9% of the way to application security. The next step is to let the interested people look and see exactly what the hole was (after checking nothing else is affected by very-similar code, etc.).

  4. By Maurice Helwig

    Sorry for the poor spelling in the previous post

    Have you fixed the install problems as yet?
    I cannot get Version 3,4,3 to install but the official portable version will install to my USB stick ok
    The problem seems to be with the MSI installer.
    I do not know where to discuss this problem so I am putting this post here.
    I can be contacted on mbh@gmail.com if anyone has some help for me.
    If nothing comes of this post then I am going back to OpenOffice until LibreOffice is fixed

    Maurice Helwig