incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From FR web forum <ooofo...@free.fr>
Subject Re: Vulnerability fixed in LibreOffice - Impact on Users
Date Fri, 07 Oct 2011 14:25:10 GMT
Thank you Dennis for have to extract this text. 
That's clear for me and end-uses now

----- Mail original -----
De: "Dennis E. Hamilton" <orcmid@apache.org>
À: ooo-dev@incubator.apache.org, oooforum@free.fr
Envoyé: Vendredi 7 Octobre 2011 01:34:16
Objet: RE: Vulnerability fixed in LibreOffice - Impact on Users

Until the analysis of the situation is available at 
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713> there is not much useful
information.

My limited understanding is that the bug is in the import of Microsoft Word .doc documents
into LibreOffice.

Unless this bug was introduced by changes since the fork to LibreOffice, it should be presumed
to apply to all existing releases of OpenOffice.org as well.

It is unclear whether there is an exploitable vulnerability as a result of the bug.  The announcement
suggests "this flaw could have been used for nefarious purposes, such as installing viruses,
through a specially-crafted file."  Since the analysis for CVE-2011-2713 does not appear to
be available yet, it is not clear

 - whether and how the out-of-bounds property read can be used to achieve code execution,

 - whether there is a proof-of-concept for an exploit and 
 - whether or not there has ever been a successful exploit.

I cannot assess the urgency to upgrade to LibreOffice 3.4.3 expressed in the announcement.
 The post on the foundation blog was created by Italo Vignoli.  I regard Italo as a responsible
individual.  I look forward to more-detailed clarification of <http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/>.

My personal advice is that users of existing OpenOffice.org releases be careful to limit their
use of Word .doc files to ones from known and trustworthy sources.

Additional portions of the announcement are less clear.  I don't doubt that security is being
improved, I just can't tell from that level of information what risk that leaves for users
of earlier releases of LibreOffice and OpenOffice.org.

When more is known about the prospective impact on users of the software, more can be provided.

 - Dennis



-----Original Message-----
From: FR web forum [mailto:oooforum@free.fr] 
Sent: Thursday, October 06, 2011 01:27
To: ooo-dev@incubator.apache.org
Subject: Re: Vulnerability fixed in LibreOffice



> Anyone can post to anyone's security list.  But they are private lists.  It is the part
where discretion must occur in handling vulnerabilities until >the fix is in and a CVE
is posted that happens privately and that might work better with some shared membership on
the security lists.  On AOOo, the >PPMC is aware of any resolution that works into code,
because of the way a security fix gets committed into a release.

Sorry but I'm not a developper.

Could you just tell me if OOo 3.3 and future 3.4 are concerned.

I must to inform end-users on the FR forum


Mime
View raw message