Ubuntu
libreoffice package

Vulnerable to the billion laughs attack

Bug #973881 reported by David on 2012-04-05

This bug report is a duplicate of: Bug #1037111: [SRU] LibreOffice 3.5.7 for precise. Edit Remove

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libreoffice (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

If one alters one of the various xml file formats that libreoffice supports(I tested against .docx and .odt - I assume the other formats are also vulnerable) and inserts the [0] billion laughs 'stock' xml attack into the document when libreoffice attempts to open the file then it will expand the entities (using 100% cpu and continuing to use more and more memory).
I will attach an example .odt file where the content.xml inside the zip container has been modified to this issue.

[0]http://en.wikipedia.org/wiki/Billion_laughs

CVE References

2003-1564

Revision history for this message

David (d--) wrote on 2012-04-05:

#1

example 'bad' document Edit (8.2 KiB, application/vnd.oasis.opendocument.text)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-04-06:

#2

Thanks for reporting this. Could you please report it to the upstream LibreOffice developers, and if applicable link the upstream bug here?

link is:
http://www.libreoffice.org/advisories/

Thanks!

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-20:

#3

David, what was upstream's response?

Changed in libreoffice (Ubuntu):
status:	New → Confirmed

Revision history for this message

David (d--) wrote on 2012-04-23:

#4

Ah sorry I didn't notice you reply before :-) (It was this --> )

Caolán McNamara <email address hidden>
On Wed, 2012-04-11 at 23:01 +1000, David Black wrote:
> If one alters one of the various xml file formats that libreoffice
> supports(I tested against .docx and .odt - I assume the other formats
> are also vulnerable) and inserts the [0] billion laughs 'stock' xml
> attack into the document when libreoffice attempts to open the file
> then it will expand the entities (using 100% cpu and continuing to use
> more and more memory).

Rats, that's annoying. Oh well, we acknowledge receipt of this anyway,
and hopefully we can come up with some solutions soon.

Revision history for this message

David (d--) wrote on 2012-08-29:

#5

According to upstream this issue was fixed in LibreOffice 3.5.5.

visibility:

private → public

Revision history for this message

Björn Michaelsen (bjoern-michaelsen) wrote on 2012-11-11:

#6

marking as a dupe of the 3.5.7 SRU for precise then.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1037111 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

example 'bad' document Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.