incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niall Martin" <ni...@rndmartin.cix.co.uk>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Thu, 29 Mar 2012 09:18:09 GMT
That's good  advice:  apart from odd bits of stuff that belong with the op system and its 
maintenance I put all programmes in a separate partition from the op system, helping to 
minimize the mess that Windows makes of things.  I also have a separate partition for data,

on a separate hard disc.

On 28 Mar 2012 at 15:28, Scooter C wrote:

Send reply to:  	ooo-users@incubator.apache.org
Date sent:      	Wed, 28 Mar 2012 15:28:30 -0400
From:           	Scooter C <scooter@scootersdesk.com>
To:             	"ooo-users@incubator.apache.org >> Group for Users Open 
Office" <ooo-users@incubator.apache.org>
Subject:        	Fwd: Re: CVE-2012-0037: OpenOffice.org data leakage 
vulnerability

> Two points I want to make.
> The PDF instructions WERE adequate but misleading. I agree with John,
> it should be more straight-forward or installable.
> 
> One trick I learned years ago: Always put the program files where YOU
> want them, not where the installer normally puts them. MY OOa Files
> are in a folder named Office. Easy to keep track of new or replaced
> files. I found unordfmi.dll easily, (due to prior experiences, I
> renamed the file adding unordfmi.dll.OLD to the
> extention,just-in-case). I copied the new unordfmi.dll to the same
> folder and that was that - no complaining from the system.
> 
> Take Care,
> Scooter
> 
> -------- Original Message --------
> Subject: 	Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
> Date: 	Sun, 25 Mar 2012 19:59:56 +1100 From: 	Martin Groenescheij
> <Martin@Groenescheij.COM> Reply-To: 	ooo-users@incubator.apache.org
> To: 	ooo-users@incubator.apache.org
> 
> 
> 
> Hi Boiling John,
> 
> You could be a little more polite, keep in mind
> that Rob provide this patch to protect or security.
> The instructions are clear and I didn't had a
> problem to install it.
> 
> Martin
> 
> On 25/03/2012 5:18 PM, John Boyle wrote:
> >  On 3/22/2012 6:16 AM, Rob Weir wrote:
> >>  Please note, this is the official security
> >>  bulletin, targeted for
> >>  security professionals.  If you are an
> >>  OpenOffice.org 3.3 user, and
> >>  are able to apply the mentioned patch, then you
> >>  are encouraged to do
> >>  so.  If someone else supports or manages your
> >>  desktop, then please
> >>  forward this information to them.
> >>
> >>  Additional support is available on our
> >>  Community Forums:
> >>
> >>  http://user.services.openoffice.org/
> >>
> >>  And via our ooo-users mailing list:
> >>
> >>  http://incubator.apache.org/openofficeorg/mailing-lists.html#users
> >>  -mailing-list
> >>
> >>
> >>  Note:  This security patch for OpenOffice.org
> >>  is made available to
> >>  legacy OpenOffice.org users as a service by the
> >>  Apache OpenOffice
> >>  Project Management Committee.  The patch is
> >>  made available under the
> >>  Apache License, and due to its importance, we
> >>  are releasing it outside
> >>  of the standard release cycle.
> >>
> >>  -Rob
> >>
> >>  -----BEGIN PGP SIGNED MESSAGE-----
> >>  Hash: SHA512
> >>
> >>  CVE-2012-0037: OpenOffice.org data leakage
> >>  vulnerability
> >>
> >>  Severity: Important
> >>
> >>  Vendor: The Apache Software Foundation
> >>
> >>  Versions Affected: OpenOffice.org 3.3 and 3.4
> >>  Beta, on all platforms.
> >>  Earlier versions may be also affected.
> >>
> >>  Description: An XML External Entity (XXE)
> >>  attack is possible in the
> >>  above versions of OpenOffice.org.  This
> >>  vulnerability exploits the way
> >>  in
> >>  which external entities are processed in
> >>  certain XML components of ODF
> >>  documents.  By crafting an external entity to
> >>  refer to other local
> >>  file system
> >>  resources, an attacker would be able to inject
> >>  contents of other
> >>  locally- accessible files into the ODF
> >>  document, without the user's
> >>  knowledge or permission.  Data leakage then
> >>  becomes possible when that
> >>  document is later distributed to other parties.
> >>
> >>  Mitigation: OpenOffice.org 3.3.0 and 3.4 beta
> >>  users should install the
> >>  patch at:
> >>  http://www.openoffice.org/security/cves/CVE-2012-0037.html
> >>
> >>
> >>  This vulnerability is also fixed in Apache
> >>  OpenOffice 3.4 dev
> >>  snapshots since March 1st, 2012.
> >>
> >>  Source and Building: Information on obtaining
> >>  the source code for this
> >>  patch, and for porting it or adapting it to
> >>  OpenOffice.org derivatives
> >>  can be found here:
> >>  http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt
> >>
> >>
> >>  Credit: The Apache OpenOffice project
> >>  acknowledges and thanks the
> >>  discoverer of this issue, Timothy D. Morgan of
> >>  Virtual Security
> >>  Research, LLC.
> >>
> >>  References: http://security.openoffice.org
> >>
> >>  -----BEGIN PGP SIGNATURE-----
> >>  Version: GnuPG v1.4.11 (GNU/Linux)
> >>
> >>  iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q
> >>
> >>  Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO
> >>
> >>  ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w
> >>
> >>  By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE
> >>
> >>  ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF
> >>
> >>  GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2
> >>
> >>  JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT
> >>
> >>  pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9
> >>
> >>  X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn
> >>
> >>  g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY
> >>
> >>  bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl
> >>
> >>  OZE/3v6XnehMD/32kipa
> >>  =/qce
> >>  -----END PGP SIGNATURE-----
> >>
> >>  ------------------------------------------------------------------
> >>  ---
> >>
> >>  To unsubscribe, e-mail:
> >>  ooo-users-unsubscribe@incubator.apache.org
> >>  For additional commands, e-mail:
> >>  ooo-users-help@incubator.apache.org
> >>
> >>
> >  To Rob Weir: I have been a user of computers
> >  since the TRS 80 from Tandy and a user of
> >  OpenOffice for I don't know how many years! The
> >  asinine patch that was put out to be installed
> >  was badly done and I cannot use it whatsoever!
> >  Now, if someone cannot get it to their heads
> >  that a patch must be a simple install from the
> >  get go, then they are going to lose users of
> >  open office for their arrogance. A four-part
> >  Idiotic message claiming to give you a patch is
> >  actually totally worthless! Have you ever heard
> >  of the DUMMIES books and method of approach to
> >  this problem?:-( :-( :-(
> >
> >  -------------------------------------------------------------------
> >  --
> >
> >  To unsubscribe, e-mail:
> >  ooo-users-unsubscribe@incubator.apache.org
> >  For additional commands, e-mail:
> >  ooo-users-help@incubator.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For
> additional commands, e-mail: ooo-users-help@incubator.apache.org
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org For
> additional commands, e-mail: ooo-users-help@incubator.apache.org
> 


Niall Martin
Phone 0131 4678468
Please reply to: niall<at>rndmartin.cix.co.uk


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message