incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Boyle <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Mon, 26 Mar 2012 00:13:53 GMT
On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
> Hi Boiling John,
> You could be a little more polite, keep in mind that Rob provide this 
> patch to protect or security.
> The instructions are clear and I didn't had a problem to install it.
> Martin
> On 25/03/2012 5:18 PM, John Boyle wrote:
>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>> Please note, this is the official security bulletin, targeted for
>>> security professionals.  If you are an 3.3 user, and
>>> are able to apply the mentioned patch, then you are encouraged to do
>>> so.  If someone else supports or manages your desktop, then please
>>> forward this information to them.
>>> Additional support is available on our Community Forums:
>>> And via our ooo-users mailing list:

>>> Note:  This security patch for is made available to
>>> legacy users as a service by the Apache OpenOffice
>>> Project Management Committee.  The patch is made available under the
>>> Apache License, and due to its importance, we are releasing it outside
>>> of the standard release cycle.
>>> -Rob
>>> Hash: SHA512
>>> CVE-2012-0037: data leakage vulnerability
>>> Severity: Important
>>> Vendor: The Apache Software Foundation
>>> Versions Affected: 3.3 and 3.4 Beta, on all platforms.
>>> Earlier versions may be also affected.
>>> Description: An XML External Entity (XXE) attack is possible in the
>>> above versions of  This vulnerability exploits the way
>>> in
>>> which external entities are processed in certain XML components of ODF
>>> documents.  By crafting an external entity to refer to other local
>>> file system
>>> resources, an attacker would be able to inject contents of other
>>> locally- accessible files into the ODF document, without the user's
>>> knowledge or permission.  Data leakage then becomes possible when that
>>> document is later distributed to other parties.
>>> Mitigation: 3.3.0 and 3.4 beta users should install the
>>> patch at:
>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>> snapshots since March 1st, 2012.
>>> Source and Building: Information on obtaining the source code for this
>>> patch, and for porting it or adapting it to derivatives
>>> can be found here: 
>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>> Research, LLC.
>>> References:
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>>> ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>>> By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>>> ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>>> JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>>> X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>>> g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>>> OZE/3v6XnehMD/32kipa
>>> =/qce
>>> -----END PGP SIGNATURE-----
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> To Rob Weir: I have been a user of computers since the TRS 80 from 
>> Tandy and a user of OpenOffice for I don't know how many years! The 
>> asinine patch that was put out to be installed was badly done and I 
>> cannot use it whatsoever! Now, if someone cannot get it to their 
>> heads that a patch must be a simple install from the get go, then 
>> they are going to lose users of open office for their arrogance. A 
>> four-part Idiotic message claiming to give you a patch is actually 
>> totally worthless! Have you ever heard of the DUMMIES books and 
>> method of approach to this problem?:-( :-( :-(
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
To Rob and Martin: I had no intention of being Impolite, but I never 
found any third page I keep hearing about and cannot figure how to 
install the patch! I was just asking if there wasn't a simpler way or 
where the heck was the patch at? I can't figure it out from what you've 
gotten And I started with computers on a TRS 80 computer. I simply would 
like to get my OpenOffice patched correctly and am asking if it's at all 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message