Title: CVE-2012-2665: Multiple heap-based buffer overflows in the XML manifest encryption handling code

Announced: August 01 2012

Fixed in: LibreOffice 3.5.5/3.6.0


Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Thanks to Timo Warns of PRE-CERT for reporting this flaw. Users are recommended to upgrade to 3.5.5 or 3.6.0 to avoid this flaw