incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus (OOo)" <marcus.m...@wtnet.de>
Subject Re: PNG Security Vulnerability fixed in 3.3.0
Date Sun, 18 Dec 2011 01:09:47 GMT
Am 12/17/2011 12:38 AM, schrieb tora - Takamichi Akiyama:

It seems nobody has answered so far.

> Does anyone have any information on this?
>
> CVE-2010-4253
> Security Vulnerability in OpenOffice.org related to PNG file processing
> http://www.openoffice.org/security/cves/CVE-2010-4253.html
>
> That has been already fixed in 3.3.0, but not in 3.2.1.
>
> One globally operating company in Japan has made use of 3.2.1 and they
> are planning to spread it over their branches and local companies under
> their wing worldwide, more than 200 thousand PCs, all told.
>
> Multiple options are under evaluation:
> (a) Security Patch (this email's topic)
> - Installing the official release of OpenOffice.org 3.2.1
> - Replacing one or a few .dll files with bug-fixed ones

*IMHO* to create a patch or update for OpenOffice.org and to guarantee 
the binary compatibility, you need to use the original environment for 
developing, builing, testing.

This environment is gone and cannot be brought back. Therefore this is 
not a possibility. The new way is to fix any new issue within the 
context of Apache OpenOffice.

But I'm not a developer, so I can only guess that it's right what I've said.

> (b) Switch to LibreOffice
> (c) Something else
>
> Why not 3.3.0? They say 3.2.1 is conceptually stabler than 3.3.0 since
> 3.2.1 is a minor, bug-fixed version while 3.3.0 is a major version.

In theory yes. But have they really tried this out? Have they proved for 
themselves that 3.2.1 is better for their business? If not and 3.3.0 is 
surprisingly better than first thought, then the answer could be very 
easy. ;-)

Marcus


Mime
View raw message