Gnome library permits code smuggling
The libgsf Gnome library is susceptible to buffer overflows. Programs like gnumeric, abiword or koffice, use the library to read OLE2 (Object Linking and Embedding) data streams. The bug in libgsf allows specially prepared documents to execute smuggled code.
iDefense claims the bug is part of the ole_init_info function. It allocates memory for the number of entries indicated in the num_bat variable, but then goes on to perform iterations based on the number contained in num_metabat. The ole_info_read_metabat does actually validate that the data read from the file fits within a range determined by the file size. While this makes the hole more difficult to exploit; that range grows with increasing file size.
The bug affects version 1.14.0 of libgsf, and other versions may, potentially, also be vulnerable. The Gnome developers have closed the hole with version 1.14.2. Until updates are released by Linux distributors, users should not open Office documents for the affected applications from non-trusted sources.
- Multiple Vendor libgsf Heap Overflow Vulnerability, security advisory from iDefense