Security update for libgsf SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3920-1 Final 1 1 2024-11-06T10:11:23Z current 2024-11-06T10:11:23Z 2024-11-06T10:11:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libgsf This update for libgsf fixes the following issues: - CVE-2024-42415, CVE-2024-36474: Fixed integer overflows affecting memory allocation (bsc#1231282, bsc#1231283). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3920,SUSE-SLE-Module-Desktop-Applications-15-SP6-2024-3920,SUSE-SLE-Product-WE-15-SP6-2024-3920,openSUSE-SLE-15.6-2024-3920 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243920-1/ Link for SUSE-SU-2024:3920-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019783.html E-Mail link for SUSE-SU-2024:3920-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1231282 SUSE Bug 1231282 https://bugzilla.suse.com/1231283 SUSE Bug 1231283 https://www.suse.com/security/cve/CVE-2024-36474/ SUSE CVE CVE-2024-36474 page https://www.suse.com/security/cve/CVE-2024-42415/ SUSE CVE CVE-2024-42415 page SUSE Linux Enterprise Module for Desktop Applications 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.6 gsf-office-thumbnailer-1.14.51-150600.4.3.1 libgsf-1-114-1.14.51-150600.4.3.1 libgsf-devel-1.14.51-150600.4.3.1 libgsf-lang-1.14.51-150600.4.3.1 libgsf-tools-1.14.51-150600.4.3.1 typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 libgsf-1-114-1.14.51-150600.4.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP6 libgsf-devel-1.14.51-150600.4.3.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 libgsf-lang-1.14.51-150600.4.3.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 gsf-office-thumbnailer-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 libgsf-1-114-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 libgsf-devel-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 libgsf-lang-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 libgsf-tools-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 as a component of openSUSE Leap 15.6 An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-36474 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libgsf-1-114-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:libgsf-devel-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:libgsf-lang-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 openSUSE Leap 15.6:gsf-office-thumbnailer-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-1-114-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-devel-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-lang-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-tools-1.14.51-150600.4.3.1 openSUSE Leap 15.6:typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243920-1/ https://www.suse.com/security/cve/CVE-2024-36474.html CVE-2024-36474 https://bugzilla.suse.com/1231282 SUSE Bug 1231282 An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-42415 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libgsf-1-114-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:libgsf-devel-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:libgsf-lang-1.14.51-150600.4.3.1 SUSE Linux Enterprise Workstation Extension 15 SP6:typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 openSUSE Leap 15.6:gsf-office-thumbnailer-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-1-114-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-devel-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-lang-1.14.51-150600.4.3.1 openSUSE Leap 15.6:libgsf-tools-1.14.51-150600.4.3.1 openSUSE Leap 15.6:typelib-1_0-Gsf-1-1.14.51-150600.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243920-1/ https://www.suse.com/security/cve/CVE-2024-42415.html CVE-2024-42415 https://bugzilla.suse.com/1231283 SUSE Bug 1231283