incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stacie Jones <queenigra...@gmail.com>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Mon, 26 Mar 2012 02:33:59 GMT
Is there another thread where people can be rude and argue? I don't like
that cluttering up my inbox.

On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jhnboyle788@gmail.com> wrote:

> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>
>> Hi Boiling John,
>>
>> You could be a little more polite, keep in mind that Rob provide this
>> patch to protect or security.
>> The instructions are clear and I didn't had a problem to install it.
>>
>> Martin
>>
>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>
>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>
>>>> Please note, this is the official security bulletin, targeted for
>>>> security professionals.  If you are an OpenOffice.org 3.3 user, and
>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>> so.  If someone else supports or manages your desktop, then please
>>>> forward this information to them.
>>>>
>>>> Additional support is available on our Community Forums:
>>>>
>>>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>
>>>> And via our ooo-users mailing list:
>>>>
>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>
>>>> Note:  This security patch for OpenOffice.org is made available to
>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>> Project Management Committee.  The patch is made available under the
>>>> Apache License, and due to its importance, we are releasing it outside
>>>> of the standard release cycle.
>>>>
>>>> -Rob
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>
>>>> Severity: Important
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>>>> Earlier versions may be also affected.
>>>>
>>>> Description: An XML External Entity (XXE) attack is possible in the
>>>> above versions of OpenOffice.org.  This vulnerability exploits the way
>>>> in
>>>> which external entities are processed in certain XML components of ODF
>>>> documents.  By crafting an external entity to refer to other local
>>>> file system
>>>> resources, an attacker would be able to inject contents of other
>>>> locally- accessible files into the ODF document, without the user's
>>>> knowledge or permission.  Data leakage then becomes possible when that
>>>> document is later distributed to other parties.
>>>>
>>>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>>>> patch at:  http://www.openoffice.org/**security/cves/CVE-2012-0037.**
>>>> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>>>
>>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>>> snapshots since March 1st, 2012.
>>>>
>>>> Source and Building: Information on obtaining the source code for this
>>>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>>>> can be found here: http://www.openoffice.org/**
>>>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>>>
>>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>>> Research, LLC.
>>>>
>>>> References: http://security.openoffice.org
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>
>>>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>>>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>>>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>>>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>>>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>>>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>>>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>>>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>>>> OZE/3v6XnehMD/32kipa
>>>> =/qce
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>>
>>>>
>>>>  To Rob Weir: I have been a user of computers since the TRS 80 from
>>> Tandy and a user of OpenOffice for I don't know how many years! The asinine
>>> patch that was put out to be installed was badly done and I cannot use it
>>> whatsoever! Now, if someone cannot get it to their heads that a patch must
>>> be a simple install from the get go, then they are going to lose users of
>>> open office for their arrogance. A four-part Idiotic message claiming to
>>> give you a patch is actually totally worthless! Have you ever heard of the
>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>
>>>
>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>
>>
>>  To Rob and Martin: I had no intention of being Impolite, but I never
> found any third page I keep hearing about and cannot figure how to install
> the patch! I was just asking if there wasn't a simpler way or where the
> heck was the patch at? I can't figure it out from what you've gotten And I
> started with computers on a TRS 80 computer. I simply would like to get my
> OpenOffice patched correctly and am asking if it's at all possible?:-\
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>
>


-- 
Peace,
Stacie M. Jones
~"Lokaa samastaa sukhino bhavantu,"~
"May all worlds be happy."

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message