incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Kircher <Nick_Kirc...@sil.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Mon, 26 Mar 2012 02:29:15 GMT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings:

I have been following this thread with interest.  When I got to the
download that you clearly listed in your message, I got the following
message, " 403 Forbidden, you do not have permission to access...on this
server" and then it gave the mirror site name where I have the dots.  I
then tried to use other mirror sites and I got the same message.  The
first time I tried downloading the instructions, I wondered what all the
sites were for.  I didn't work through all the sites the other times,
thinking that I was missing something or that I would be going to
download something that either I didn't need or I might access something
damaging to my computer.

This time, when I started to work my way down the various http sites on
the download mirrors and kept getting the "403 Forbidden..." message
when I pressed the download buttons. After, four times, getting the same
message, I finally found one mirror that downloaded the instructions. 
John was more vocal about his frustration but I experienced similar
kinds of emotions in my following of your instructions... I don't know
what needs to change...

Thank you for your attention on this.

Sincerely,

Nick Kircher

On 3/26/12 9:58 AM, Rob Weir wrote:
> On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jhnboyle788@gmail.com> wrote:
>
>> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>>
>>> Hi Boiling John,
>>>
>>> You could be a little more polite, keep in mind that Rob provide this
>>> patch to protect or security.
>>> The instructions are clear and I didn't had a problem to install it.
>>>
>>> Martin
>>>
>>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>>
>>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>>
>>>>> Please note, this is the official security bulletin, targeted for
>>>>> security professionals. If you are an OpenOffice.org 3.3 user, and
>>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>>> so. If someone else supports or manages your desktop, then please
>>>>> forward this information to them.
>>>>>
>>>>> Additional support is available on our Community Forums:
>>>>>
>>>>>
http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>>
>>>>> And via our ooo-users mailing list:
>>>>>
>>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>>>
html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>>
>>>>> Note: This security patch for OpenOffice.org is made available to
>>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>>> Project Management Committee. The patch is made available under the
>>>>> Apache License, and due to its importance, we are releasing it outside
>>>>> of the standard release cycle.
>>>>>
>>>>> -Rob
>>>>>
> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
> Earlier versions may be also affected.
>
> Description: An XML External Entity (XXE) attack is possible in the
> above versions of OpenOffice.org. This vulnerability exploits the way
> in
> which external entities are processed in certain XML components of ODF
> documents. By crafting an external entity to refer to other local
> file system
> resources, an attacker would be able to inject contents of other
> locally- accessible files into the ODF document, without the user's
> knowledge or permission. Data leakage then becomes possible when that
> document is later distributed to other parties.
>
> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/**security/cves/CVE-2012-0037.**
> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>
> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
> snapshots since March 1st, 2012.
>
> Source and Building: Information on obtaining the source code for this
> patch, and for porting it or adapting it to OpenOffice.org derivatives
> can be found here: http://www.openoffice.org/**
> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>
> Credit: The Apache OpenOffice project acknowledges and thanks the
> discoverer of this issue, Timothy D. Morgan of Virtual Security
> Research, LLC.
>
> References: http://security.openoffice.org
>
>>>>>
>>>>> ------------------------------**------------------------------**
>>>>> ---------
>>>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>>>
>>>>>
>>>>> To Rob Weir: I have been a user of computers since the TRS 80 from
>>>> Tandy and a user of OpenOffice for I don't know how many years! The
asinine
>>>> patch that was put out to be installed was badly done and I cannot
use it
>>>> whatsoever! Now, if someone cannot get it to their heads that a
patch must
>>>> be a simple install from the get go, then they are going to lose
users of
>>>> open office for their arrogance. A four-part Idiotic message claiming to
>>>> give you a patch is actually totally worthless! Have you ever heard
of the
>>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>>
>>>>
>>>>
>>> ------------------------------**------------------------------**---------
>>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>
>>>
>>> To Rob and Martin: I had no intention of being Impolite, but I never
>> found any third page I keep hearing about and cannot figure how to install
>> the patch! I was just asking if there wasn't a simpler way or where the
>> heck was the patch at? I can't figure it out from what you've gotten And I
>> started with computers on a TRS 80 computer. I simply would like to get my
>> OpenOffice patched correctly and am asking if it's at all possible?:-\
>>
>>
>>
>
> Hi John.
>
> Let's break it down.
>
> See the original note, where I wrote;
>
> "Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
> patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html"
>
> Start with that page. Load that URL in your browser.
>
> Then on that page you will see something that says, "OpenOffice.org 3.3.0
> and 3.4 beta users can patch their installation with the following patches.
> Download, unzip and follow the instructions in the enclosed readme.pdf
> file."
>
> Right below that there are two links, one labeled "For Windows" and the
> other "For MacOS". Download the appropriate one, unzip and load the
> readme.pdf inside. If you are not able to unzip or read a PDF file then
> let me know.
>
> The readme.pdf file has its own instructions, with pictures, which should
> make the remaining steps clear. But let me know if you have further
> questions.
>
> -Rob
>
>
>
>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail:
ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>> For additional commands, e-mail:
ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>
>>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9v1G0ACgkQFgUvDYSMGtCb5ACghWcTvKNGJQmnK5jw7KSQajw0
Vu4AoIAxWao/aZnXUXvxErCnfnTsJyB7
=z1Lf
-----END PGP SIGNATURE-----


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message