After five months of development and seven and a half years since the last significant release, a corrective release of the Apache OpenOffice 4.1.11 office suite has been formed, in which 12 corrections are proposed. Ready packages are prepared for Linux, Windows and macOS.
The new release fixes three vulnerabilities:
- CVE-2021-33035 - Allows code to be executed when a specially crafted DBF file is opened. The problem is caused by OpenOffice relying on the fieldLength and fieldType values ββin the header of the DBF files when allocating memory, without checking that the actual data type in the fields matches. To perform an attack, you can specify the INTEGER type in the fieldType value, but place data of a larger size and specify the fieldLength value that does not correspond to the size of the data with the INTEGER type, which will cause the data tail from the field to be written outside the allocated buffer. As a result of a controlled buffer overflow, you can redefine the return pointer from the function and use return-oriented programming (ROP - Return-Oriented Programming) techniques to achieve the execution of your code.
- CVE-2021-40439 - "Billion laughs" (XML bomb) DoS attack that exhausts available system resources while processing a specially formatted document.
- CVE-2021-28129 - The contents of a DEB package were installed on a non-root system.
Non-security changes:
- Increased font size in help texts.
- An item has been added to the Insert menu to control Fontwork font effects.
- Added a missing icon to the File menu for the Export to PDF feature.
- The problem with loss of charts when saving to ODS format has been fixed.
- Fixed an issue where some useful functionality was blocked by the operation confirmation dialog added in a previous release (for example, the dialog was displayed when referring to a section in the same document).
Source: opennet.ru