CVE-2012-0037
Publication date 22 March 2012
Last updated 24 July 2024
Ubuntu priority
Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libreoffice | ||
| openoffice.org | ||
| raptor | ||
| raptor2 | ||
Notes
jdstrand
Per Sweetchark, only a LibreOffice issue if using internal raptor Debian's patch for 1.4.21 from David Beckett based on patch sent to linux-distros@ per RedHat, arbitrary code execution is possible as well 1.4.21-7 is claimed to be fixed in Debian. While a patch was added, the quilt series file was not updated so the patch was not applied.
Patch details
| Package | Patch details |
|---|---|
| openoffice.org | |
| raptor |
|
| raptor2 |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-1480-1
- Raptor vulnerability
- 18 June 2012
- USN-1901-1
- Raptor vulnerability
- 8 July 2013
Other references
- http://blog.documentfoundation.org/2012/03/22/tdf-announces-libreoffice-3-4-6/
- http://www.openoffice.org/security/cves/CVE-2012-0037.html
- http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
- https://www.libreoffice.org/advisories/CVE-2012-0037/
- https://www.cve.org/CVERecord?id=CVE-2012-0037