Date: prev next · Thread: first prev next last


The Internet, October 4, 2011 - The Document Foundation (TDF) publishes
some details of the security fixes included with the recently released
LibreOffice 3.4.3, and included in the older 3.3.4 version. Following
industry best practice, details of security fixes are withheld until
users have been given time to migrate to the new version.

RedHat security researcher Huzaifa Sidhpurwala identified a memory
corruption vulnerability in the code responsible for loading Microsoft
Word documents in LibreOffice. This flaw could have been used for
nefarious purposes, such as installing viruses, through a
specially-crafted file. The corresponding vulnerability description is
CVE-2011-2713,"Out-of-bounds property read in binary .doc filter".

LibreOffice 3.4.3 also includes various improvements to the loading of
Windows Metafile (.wmf) and Windows Enhanced Metafile (.emf) image
formats that were found through fuzz testing.

LibreOffice developers have developed some additional security patches
and fixes. These are part of a general set of development improvements
which are reflected in the overall quality and stability of the
software. Most LibreOffice 3.4.3 security fixes have been developed by
Caolan McNamara of RedHat and Marc-André Laverdière of Tata Consultancy
Services.

"Working on fuzzing LibreOffice import filters has been a great
experience, and I am glad I could contribute in securing the computing
experience of millions of users," said Marc-André Laverdière, Scientist,
TCS Innovation Labs, Tata Consultancy Services, Ltd. "Working in
cooperation with the TDF development team, we have found and fixed
serious security and crasher bugs."

All users are recommended to upgrade to LibreOffice 3.4.3 as soon as
possible, in order to benefit from the improved security of the office
suite. LibreOffice 3.4.3 can be downloaded from http://www.libreoffice.org.

Short link to blog post: http://wp.me/p1byPE-bQ

-- 
Italo Vignoli - The Document Foundation
email italo.vignoli@documentfoundation.org
phone +39.348.5653829 - VoIP +39.02.320621813
skype italovignoli - italo.vignoli@gmail.com

-- 
Unsubscribe instructions: E-mail to announce+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
List archive: http://listarchives.documentfoundation.org/www/announce/

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.