Mageia alert MGASA-2014-0447 (libreoffice)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0447: Updated libreoffice packages fix security vulnerabilities 
Date:
    	     
 
Fri, 14 Nov 2014 02:25:01 +0100
Message-ID:
    	     
 
<20141114012501.3578A5D631@valstar.mageia.org>
MGASA-2014-0447 - Updated libreoffice packages fix security vulnerabilities

Publication date: 14 Nov 2014
URL: http://advisories.mageia.org/MGASA-2014-0447.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2014-0247,
     CVE-2014-3575

Description:
It was discovered during routine code review that LibreOffice unconditionally
executed certain VBA macros on loading Microsoft Office documents, contrary
to user expectations (CVE-2014-0247).

A vulnerability in LibreOffice allows an attacker to send a document which
when opened will trigger the prompt to "Update Links" but if the user cancels
that prompt may still generate and insert into the document an OLE2 preview
image of a file on the victims filesystem, Data exposure is possible if the
updated document is then distributed to other parties (CVE-2014-3575).

LibreOffice has been updated to version 4.1.6.2 and patched to fix the
CVE-2014-0247 and CVE-2014-3575 issues as well as to fix other bugs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=13580
- http://www.libreoffice.org/about-us/security/advisories/c...
- http://www.libreoffice.org/about-us/security/advisories/c...
- https://lists.fedoraproject.org/pipermail/package-announc...
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0247
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3575

SRPMS:
- 4/core/libreoffice-4.1.6.2-1.mga4