Bug 12294 - gnome-chemistry-utils, gnumeric, goffice new security issue CVE-2013-6836
: gnome-chemistry-utils, gnumeric, goffice new security issue CVE-2013-6836
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/580184/
: MGA3-32-OK MGA3-64-OK advisory
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-13 22:13 CET by David Walser
Modified: 2014-02-21 19:26 CET (History)
7 users (show)

See Also:
Source RPM: gnome-chemistry-utils, gnumeric, goffice
CVE:
Status comment:


Attachments

Description David Walser 2014-01-13 22:13:51 CET
Fedora has issued advisories on January 2:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126364.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126366.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126365.html

The issue appears to be fixed in versions:
gnome-chemistry-utils 0.14.5
gnumeric 1.12.9
goffice 0.10.9

So Cauldron would need an update for gnome-chemistry-utils, and Mageia 3 for all three of them.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-01-25 15:25:32 CET
gnome-chemistry-utils updated in mga4, freeze push asked
I'm working on update for mga3
Comment 2 David Walser 2014-01-25 17:10:50 CET
Thanks.

I don't see a freeze push request on the mailing list.
Comment 3 David Walser 2014-01-25 20:10:13 CET
gnome-chemistry-utils-0.14.5-2.mga4 uploaded for Cauldron.  Thanks Philippe!
Comment 4 Philippe Makowski 2014-01-25 20:16:41 CET
Advisory:
========================

Updated gnome-chemistry-utils,gnumeric and goffice packages that fix one security issue

Heap-based buffer overflow in the ms_escher_get_data function in plugins/excel/ms-escher.c in GNOME Office Gnumeric before 1.12.9 allows remote attackers to cause a denial of service (crash) via a crafted xls file with a crafted length value. (CVE-2013-6836)

References
https://bugzilla.redhat.com/show_bug.cgi?id=1044857
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6836
https://bugs.mageia.org/show_bug.cgi?id=12294

========================

Updated packages in core/updates_testing:
========================
gnome-chemistry-utils-gnumeric-0.14.5-1.mga3
gnome-chemistry-utils-0.14.5-1.mga3
gchem3d-0.14.5-1.mga3
gchempaint-0.14.5-1.mga3
libgcu0.14_0-0.14.5-1.mga3
gspectrum-0.14.5-1.mga3
libgcrystal0.14_0-0.14.5-1.mga3
gchemtable-0.14.5-1.mga3
gnome-chemistry-utils-goffice-0.14.5-1.mga3
gnome-chemistry-utils-devel-0.14.5-1.mga3
gcrystal-0.14.5-1.mga3
libgchempaint0.14_0-0.14.5-1.mga3
gnome-chemistry-utils-debuginfo-0.14.5-1.mga3
gnome-chemistry-utils-common-0.14.5-1.mga3
gchemcalc-0.14.5-1.mga3
gnumeric-1.12.9-1.mga3
libspreadsheet1.12.9-1.12.9-1.mga3
gnumeric-debuginfo-1.12.9-1.mga3
libspreadsheet-devel-1.12.9-1.mga3
libgoffice0.10_10-0.10.9-1.mga3
goffice-0.10.9-1.mga3
libgoffice0.10-devel-0.10.9-1.mga3
goffice-0.10.9-1.mga3.x86_64




from gnome-chemistry-utils-0.14.5-1.mga3.src
gnumeric-1.12.9-1.mga3.src
goffice-0.10.9-1.mga3.src
Comment 5 Carolyn Rowse 2014-02-15 14:53:11 CET
I'll have a look at it on i586.  Don't understand what the issues are, but I can check for regressions. I'll put a link to the web page with user manuals for the gnome-chemistry-utils components on a procedure page on the wiki.

Carolyn
Comment 6 Carolyn Rowse 2014-02-15 16:30:03 CET
I tried out Gnumeric and did a few basic things like formatting for currency,formulae for adding and multiplying groups of cells, merging and centering cells, inserting the current date and time, saving and opening.

I also tried various views in the periodic table viewer and entered some formulae in GChemCalc and viewed the results.

No regressions noticed after update.

Ill mark this as OK for 32-bit unless someone can come up with some more specific tests that need doing.

Carolyn
Comment 7 Rémi Verschelde 2014-02-21 16:27:02 CET
Testing complete Mageia 4 x86_64, checking for obvious regressions.
Comment 8 Rémi Verschelde 2014-02-21 16:30:55 CET
Validating update, advisory has been uploaded. Please push to 3 core/updates.
Comment 9 Thomas Backlund 2014-02-21 19:26:00 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0086.html

Note You need to log in before you can comment on or make changes to this bug.