incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Boyle <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Sun, 25 Mar 2012 06:18:07 GMT
On 3/22/2012 6:16 AM, Rob Weir wrote:
> Please note, this is the official security bulletin, targeted for
> security professionals.  If you are an 3.3 user, and
> are able to apply the mentioned patch, then you are encouraged to do
> so.  If someone else supports or manages your desktop, then please
> forward this information to them.
> Additional support is available on our Community Forums:
> And via our ooo-users mailing list:
> Note:  This security patch for is made available to
> legacy users as a service by the Apache OpenOffice
> Project Management Committee.  The patch is made available under the
> Apache License, and due to its importance, we are releasing it outside
> of the standard release cycle.
> -Rob
> Hash: SHA512
> CVE-2012-0037: data leakage vulnerability
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of  This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents.  By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission.  Data leakage then becomes possible when that
> document is later distributed to other parties.
> Mitigation: 3.3.0 and 3.4 beta users should install the
> patch at:
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to derivatives
> can be found here:
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
> References:
> Version: GnuPG v1.4.11 (GNU/Linux)
> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> OZE/3v6XnehMD/32kipa
> =/qce
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
To Rob Weir: I have been a user of computers since the TRS 80 from Tandy 
and a user of OpenOffice for I don't know how many years! The asinine 
patch that was put out to be installed was badly done and I cannot use 
it whatsoever! Now, if someone cannot get it to their heads that a patch 
must be a simple install from the get go, then they are going to lose 
users of open office for their arrogance. A four-part Idiotic message 
claiming to give you a patch is actually totally worthless! Have you 
ever heard of the DUMMIES books and method of approach to this 
problem?:-( :-( :-(

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message