Language

The Free and Open Productivity Suite
Released: Apache OpenOffice 4.1.15

CVE-2015-5212

Apache OpenOffice Advisory

CVE-2015-5212: ODF PRINTER SETTINGS VULNERABILITY

Fixed in Apache OpenOffice 4.1.2

Version 1.0
Announced November 4, 2015

A crafted ODF document can be used to create a buffer that is too small for the amount of data loaded into it, allowing an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code.

Severity: Important

There are no known exploits of this vulnerabilty.
A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected

All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.

Mitigation

Apache OpenOffice users are urged to download and install Apache OpenOffice version 4.1.2 or later. Use of in-document control of printer settings is disabled in 4.1.2.

Precautions

Users who do not upgrade to Apache OpenOffice 4.1.2 can disable the vulnerability directly by declining to use printer settings provided as part of ODF Documents:

  1. In Apache OpenOffice, select the Tools menu Options entry.
  2. On the Options Load/Save item's General sub-item, remove any check for "Load printer settings with the document".
  3. Click "OK".
  4. This setting will apply to all documents loaded thereafter.

Further Information

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Credits

The discoverer of this vulnerability wishes to remain anonymous.
Apache OpenOffice security team thanks Caolán McNamara of Red Hat for analysis and a repair solution.


Security Home -> Bulletin -> CVE-2015-5212

Apache Software Foundation

Copyright & License | Privacy | Contact Us | Donate | Thanks

Apache, OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation. The Apache feather logo is a trademark of The Apache Software Foundation. Other names appearing on the site may be trademarks of their respective owners.