incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ariel Constenla-Haile <arie...@apache.org>
Subject Re: How to make a Linux port of CVE-2012-0037
Date Fri, 27 Apr 2012 13:26:17 GMT
Hi Rob, *

On Thu, Mar 22, 2012 at 05:47:50PM -0400, Rob Weir wrote:
> We need a few things:
> 
> 1) Someone to build the patch
> (http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt)
> 
> 2) Someone to create install instructions for the patch
> 
> 3) One or more people to test the patch
> 
> 4)  Someone to update the website and send out an announcement
> 
> 
> #1 is actually a lot easier than it sounds.  If you can build AOO 3.4
> under Linux then you probably are already building the patched file.
> We might even just extract the relevant library from a dev snapshot
> install.   But we need to consider what variations we need, 32 versus
> 64, etc.

Indeed, you only have to take the library from the RC1 and copy it to
the 3.3 installation directory, adapting the name because AOO has removed
the library postfix (lx for 64 bits, li for 32 bits).


> For #2 I have the source for the existing install instructions.  I'm
> happy to share with anyone who wants to update the instructions and
> screenshots for Linux users.

Screenshots for Linux don't make sense, it's simply running some commands
from a terminal:
http://s.apache.org/4QC

Please send me the source for the existing install instructions, I'll
update the instructions for Linux.

> For #3, I'm sure many of us can help.  We have a proof of concept file
> that shows the exploit that we can test against, but we need to take
> extreme measures to ensure that filed is not publicly disclosed.

I tested on 

Fedora 16 - 64 bits
Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits

The problem is that I couldn't reproduce the issue: OOo 3.3 simply
*crashes* when trying to open the bug document lin.odt

The good news is that replacing the old library with the patched library
solves the crash, and does not reproduce the vulnerability issue.

Was anyone able to reproduce the issue on Linux with OOo 3.3?


> For #4, I am happy to help with the digital signature and staging to
> the mirrors, etc. Updating the webpage is really easy, using the
> Apache CMS.

I've uploaded a version to test:
http://people.apache.org/~arielch/CVE-2012-0037.zip
http://people.apache.org/~arielch/CVE-2012-0037.zip.asc

Gary did some tests (not with the bug document lin.odt), I guess he just
tested that "it worked", that is, no undefined symbol references when
loading the library.


Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina

Mime
View raw message