incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scooter C <scoo...@scootersdesk.com>
Subject Fwd: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Wed, 28 Mar 2012 19:28:30 GMT
Two points I want to make.
The PDF instructions WERE adequate but misleading. I agree with John, it 
should be more straight-forward or installable.

One trick I learned years ago: Always put the program files where YOU 
want them, not where the installer normally puts them.
MY OOa Files are in a folder named Office. Easy to keep track of new or 
replaced files.
I found unordfmi.dll easily, (due to prior experiences, I renamed the 
file adding unordfmi.dll.OLD to the extention,just-in-case).
I copied the new unordfmi.dll to the same folder and that was that - no 
complaining from the system.

Take Care,
Scooter

-------- Original Message --------
Subject: 	Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date: 	Sun, 25 Mar 2012 19:59:56 +1100
From: 	Martin Groenescheij <Martin@Groenescheij.COM>
Reply-To: 	ooo-users@incubator.apache.org
To: 	ooo-users@incubator.apache.org



Hi Boiling John,

You could be a little more polite, keep in mind
that Rob provide this patch to protect or security.
The instructions are clear and I didn't had a
problem to install it.

Martin

On 25/03/2012 5:18 PM, John Boyle wrote:
>  On 3/22/2012 6:16 AM, Rob Weir wrote:
>>  Please note, this is the official security
>>  bulletin, targeted for
>>  security professionals.  If you are an
>>  OpenOffice.org 3.3 user, and
>>  are able to apply the mentioned patch, then you
>>  are encouraged to do
>>  so.  If someone else supports or manages your
>>  desktop, then please
>>  forward this information to them.
>>
>>  Additional support is available on our
>>  Community Forums:
>>
>>  http://user.services.openoffice.org/
>>
>>  And via our ooo-users mailing list:
>>
>>  http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list
>>
>>
>>  Note:  This security patch for OpenOffice.org
>>  is made available to
>>  legacy OpenOffice.org users as a service by the
>>  Apache OpenOffice
>>  Project Management Committee.  The patch is
>>  made available under the
>>  Apache License, and due to its importance, we
>>  are releasing it outside
>>  of the standard release cycle.
>>
>>  -Rob
>>
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA512
>>
>>  CVE-2012-0037: OpenOffice.org data leakage
>>  vulnerability
>>
>>  Severity: Important
>>
>>  Vendor: The Apache Software Foundation
>>
>>  Versions Affected: OpenOffice.org 3.3 and 3.4
>>  Beta, on all platforms.
>>  Earlier versions may be also affected.
>>
>>  Description: An XML External Entity (XXE)
>>  attack is possible in the
>>  above versions of OpenOffice.org.  This
>>  vulnerability exploits the way
>>  in
>>  which external entities are processed in
>>  certain XML components of ODF
>>  documents.  By crafting an external entity to
>>  refer to other local
>>  file system
>>  resources, an attacker would be able to inject
>>  contents of other
>>  locally- accessible files into the ODF
>>  document, without the user's
>>  knowledge or permission.  Data leakage then
>>  becomes possible when that
>>  document is later distributed to other parties.
>>
>>  Mitigation: OpenOffice.org 3.3.0 and 3.4 beta
>>  users should install the
>>  patch at:
>>  http://www.openoffice.org/security/cves/CVE-2012-0037.html
>>
>>
>>  This vulnerability is also fixed in Apache
>>  OpenOffice 3.4 dev
>>  snapshots since March 1st, 2012.
>>
>>  Source and Building: Information on obtaining
>>  the source code for this
>>  patch, and for porting it or adapting it to
>>  OpenOffice.org derivatives
>>  can be found here:
>>  http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
>>
>>
>>  Credit: The Apache OpenOffice project
>>  acknowledges and thanks the
>>  discoverer of this issue, Timothy D. Morgan of
>>  Virtual Security
>>  Research, LLC.
>>
>>  References: http://security.openoffice.org
>>
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v1.4.11 (GNU/Linux)
>>
>>  iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
>>
>>  Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
>>
>>  ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
>>
>>  By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
>>
>>  ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
>>
>>  GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
>>
>>  JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
>>
>>  pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
>>
>>  X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
>>
>>  g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
>>
>>  bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
>>
>>  OZE/3v6XnehMD/32kipa
>>  =/qce
>>  -----END PGP SIGNATURE-----
>>
>>  ---------------------------------------------------------------------
>>
>>  To unsubscribe, e-mail:
>>  ooo-users-unsubscribe@incubator.apache.org
>>  For additional commands, e-mail:
>>  ooo-users-help@incubator.apache.org
>>
>>
>  To Rob Weir: I have been a user of computers
>  since the TRS 80 from Tandy and a user of
>  OpenOffice for I don't know how many years! The
>  asinine patch that was put out to be installed
>  was badly done and I cannot use it whatsoever!
>  Now, if someone cannot get it to their heads
>  that a patch must be a simple install from the
>  get go, then they are going to lose users of
>  open office for their arrogance. A four-part
>  Idiotic message claiming to give you a patch is
>  actually totally worthless! Have you ever heard
>  of the DUMMIES books and method of approach to
>  this problem?:-( :-( :-(
>
>  ---------------------------------------------------------------------
>
>  To unsubscribe, e-mail:
>  ooo-users-unsubscribe@incubator.apache.org
>  For additional commands, e-mail:
>  ooo-users-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message