Bug 73087

Summary: CVE-2013-1752 and CVE-2013-4238: upgrade python to 3.3.3 for python33.dll vulnerable according to Secunia and Python
Product: LibreOffice Reporter: Peter Stendahl-Juvonen <peter.stendahl-juvonen>
Component: LibreofficeAssignee: Michael Stahl <mst.fdo>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: medium CC: alexander.buchner, caolanm, niko.bockerman
Version: 4.1.4.2 release   
Hardware: Other   
OS: Windows (All)   
Whiteboard: target:4.3.0 target:4.2.0.2 target:4.1.5
i915 platform: i915 features:
Attachments: C:\Program Files (x86)\LibreOffice 4\program\python33.dll is vulnerable according to Secunia and Python

Description Peter Stendahl-Juvonen 2013-12-28 05:59:03 UTC 
Created attachment 91245 [details]
C:\Program Files (x86)\LibreOffice 4\program\python33.dll is vulnerable according to Secunia and Python

C:\Program Files (x86)\LibreOffice 4\program\python33.dll (version 3.3.150.1013) is vulnerable according to Secunia and Python.

Version 3.3.3 is secure.

Please see Secunia Advisory SA56226 at http://secunia.com/advisories/56226

A security issue and multiple vulnerabilities have been reported in Python, which can be exploited by malicious people to conduct spoofing attacks and cause a DoS (Denial of Service).

The security issue and the vulnerabilities are reported in versions prior to 3.3.3.

Solution:
Update to version 3.3.3.

Please also see

http://www.python.org/download/releases/3.3.3/

http://docs.python.org/3.3/whatsnew/changelog.html
Comment 1 Luuk 2013-12-28 15:41:55 UTC 
Your dll looks differen from mine (i downloaded attachment to c:\temp)

C:\temp>md5 -v
2.2 (2008-01-14)

C:\temp>md5 "C:\Program Files (x86)\LibreOffice 4\program\python3.dll"
C8AB7B1D60B0D0E8AE70C625C9F4A76E  C:\Program Files (x86)\LibreOffice 4\program\python3.dll

C:\temp>md5 python33.dll
2C168A75276C9DC9BA0274A91B4D5940  python33.dll

C:\temp>
Comment 2 Peter Stendahl-Juvonen 2013-12-28 18:46:48 UTC 
Your file is python3.dll (not python33.dll), hence different MD5.
Comment 3 Commit Notification 2014-01-06 16:59:05 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=45c537a1185dfca7e51229dde9e9220e5174bd57

fdo#73087: python3: upgrade to version 3.3.3



The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 4 Commit Notification 2014-01-07 09:59:28 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-2":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c5ab946abfe3b2c60253e3c724eee2be0bda0b81&h=libreoffice-4-2

fdo#73087: python3: upgrade to version 3.3.3


It will be available in LibreOffice 4.2.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.
Comment 5 Michael Stahl 2014-01-07 18:20:00 UTC 
fixed on master and 4.2; review for 4.1 pending in gerrit.
Comment 6 Commit Notification 2014-01-08 21:39:10 UTC 
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-4-1":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5d207e1a819a679738e0299972cef3d280122596&h=libreoffice-4-1

fdo#73087: python3: upgrade to version 3.3.3


It will be available in LibreOffice 4.1.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds
Affected users are encouraged to test the fix and report feedback.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.