incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Kircher <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Mon, 26 Mar 2012 02:29:15 GMT

Hash: SHA1


I have been following this thread with interest.  When I got to the
download that you clearly listed in your message, I got the following
message, " 403 Forbidden, you do not have permission to access...on this
server" and then it gave the mirror site name where I have the dots.  I
then tried to use other mirror sites and I got the same message.  The
first time I tried downloading the instructions, I wondered what all the
sites were for.  I didn't work through all the sites the other times,
thinking that I was missing something or that I would be going to
download something that either I didn't need or I might access something
damaging to my computer.

This time, when I started to work my way down the various http sites on
the download mirrors and kept getting the "403 Forbidden..." message
when I pressed the download buttons. After, four times, getting the same
message, I finally found one mirror that downloaded the instructions. 
John was more vocal about his frustration but I experienced similar
kinds of emotions in my following of your instructions... I don't know
what needs to change...

Thank you for your attention on this.


Nick Kircher

On 3/26/12 9:58 AM, Rob Weir wrote:
> On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <> wrote:
>> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>>> Hi Boiling John,
>>> You could be a little more polite, keep in mind that Rob provide this
>>> patch to protect or security.
>>> The instructions are clear and I didn't had a problem to install it.
>>> Martin
>>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>>> Please note, this is the official security bulletin, targeted for
>>>>> security professionals. If you are an 3.3 user, and
>>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>>> so. If someone else supports or manages your desktop, then please
>>>>> forward this information to them.
>>>>> Additional support is available on our Community Forums:
>>>>> And via our ooo-users mailing list:
>>>>> Note: This security patch for is made available to
>>>>> legacy users as a service by the Apache OpenOffice
>>>>> Project Management Committee. The patch is made available under the
>>>>> Apache License, and due to its importance, we are releasing it outside
>>>>> of the standard release cycle.
>>>>> -Rob
> CVE-2012-0037: data leakage vulnerability
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected: 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
> Mitigation: 3.3.0 and 3.4 beta users should install the
> patch at:**security/cves/CVE-2012-0037.**
> html <>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to derivatives
> can be found here:**
> security/cves/CVE-2012-0037-**src.txt<>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
> References:
>>>>> ------------------------------**------------------------------**
>>>>> ---------
>>>>> To unsubscribe, e-mail:
>>>>> For additional commands, e-mail:
>>>>> To Rob Weir: I have been a user of computers since the TRS 80 from
>>>> Tandy and a user of OpenOffice for I don't know how many years! The
>>>> patch that was put out to be installed was badly done and I cannot
use it
>>>> whatsoever! Now, if someone cannot get it to their heads that a
patch must
>>>> be a simple install from the get go, then they are going to lose
users of
>>>> open office for their arrogance. A four-part Idiotic message claiming to
>>>> give you a patch is actually totally worthless! Have you ever heard
of the
>>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail:
>>>> For additional commands, e-mail:
>>> ------------------------------**------------------------------**---------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>>> To Rob and Martin: I had no intention of being Impolite, but I never
>> found any third page I keep hearing about and cannot figure how to install
>> the patch! I was just asking if there wasn't a simpler way or where the
>> heck was the patch at? I can't figure it out from what you've gotten And I
>> started with computers on a TRS 80 computer. I simply would like to get my
>> OpenOffice patched correctly and am asking if it's at all possible?:-\
> Hi John.
> Let's break it down.
> See the original note, where I wrote;
> "Mitigation: 3.3.0 and 3.4 beta users should install the
> patch at:"
> Start with that page. Load that URL in your browser.
> Then on that page you will see something that says, " 3.3.0
> and 3.4 beta users can patch their installation with the following patches.
> Download, unzip and follow the instructions in the enclosed readme.pdf
> file."
> Right below that there are two links, one labeled "For Windows" and the
> other "For MacOS". Download the appropriate one, unzip and load the
> readme.pdf inside. If you are not able to unzip or read a PDF file then
> let me know.
> The readme.pdf file has its own instructions, with pictures, which should
> make the remaining steps clear. But let me know if you have further
> questions.
> -Rob
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla -


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message