Bug Hunting Session
Bug 73087 - CVE-2013-1752 and CVE-2013-4238: upgrade python to 3.3.3 for python33.dll vulnerable according to Secunia and Python
Summary: CVE-2013-1752 and CVE-2013-4238: upgrade python to 3.3.3 for python33.dll vul...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
4.1.4.2 release
Hardware: Other Windows (All)
: medium major
Assignee: Michael Stahl (CIB)
URL:
Whiteboard: target:4.3.0 target:4.2.0.2 target:4.1.5
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-28 05:59 UTC by Peter Stendahl-Juvonen
Modified: 2014-01-08 21:39 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments
C:\Program Files (x86)\LibreOffice 4\program\python33.dll is vulnerable according to Secunia and Python (2.52 MB, application/octet-stream)
2013-12-28 05:59 UTC, Peter Stendahl-Juvonen
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Stendahl-Juvonen 2013-12-28 05:59:03 UTC
Created attachment 91245 [details]
C:\Program Files (x86)\LibreOffice 4\program\python33.dll is vulnerable according to Secunia and Python

C:\Program Files (x86)\LibreOffice 4\program\python33.dll (version 3.3.150.1013) is vulnerable according to Secunia and Python.

Version 3.3.3 is secure.

Please see Secunia Advisory SA56226 at http://secunia.com/advisories/56226

A security issue and multiple vulnerabilities have been reported in Python, which can be exploited by malicious people to conduct spoofing attacks and cause a DoS (Denial of Service).

The security issue and the vulnerabilities are reported in versions prior to 3.3.3.

Solution:
Update to version 3.3.3.

Please also see

http://www.python.org/download/releases/3.3.3/

http://docs.python.org/3.3/whatsnew/changelog.html
Comment 1 Luuk 2013-12-28 15:41:55 UTC
Your dll looks differen from mine (i downloaded attachment to c:\temp)

C:\temp>md5 -v
2.2 (2008-01-14)

C:\temp>md5 "C:\Program Files (x86)\LibreOffice 4\program\python3.dll"
C8AB7B1D60B0D0E8AE70C625C9F4A76E  C:\Program Files (x86)\LibreOffice 4\program\python3.dll

C:\temp>md5 python33.dll
2C168A75276C9DC9BA0274A91B4D5940  python33.dll

C:\temp>
Comment 2 Peter Stendahl-Juvonen 2013-12-28 18:46:48 UTC
Your file is python3.dll (not python33.dll), hence different MD5.
Comment 3 Commit Notification 2014-01-06 16:59:05 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=45c537a1185dfca7e51229dde9e9220e5174bd57

fdo#73087: python3: upgrade to version 3.3.3



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 4 Commit Notification 2014-01-07 09:59:28 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c5ab946abfe3b2c60253e3c724eee2be0bda0b81&h=libreoffice-4-2

fdo#73087: python3: upgrade to version 3.3.3


It will be available in LibreOffice 4.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 5 Michael Stahl (CIB) 2014-01-07 18:20:00 UTC
fixed on master and 4.2; review for 4.1 pending in gerrit.
Comment 6 Commit Notification 2014-01-08 21:39:10 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5d207e1a819a679738e0299972cef3d280122596&h=libreoffice-4-1

fdo#73087: python3: upgrade to version 3.3.3


It will be available in LibreOffice 4.1.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.