incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Mon, 26 Mar 2012 01:58:02 GMT
On Sun, Mar 25, 2012 at 8:13 PM, John Boyle <jhnboyle788@gmail.com> wrote:

> On 3/25/2012 1:59 AM, Martin Groenescheij wrote:
>
>> Hi Boiling John,
>>
>> You could be a little more polite, keep in mind that Rob provide this
>> patch to protect or security.
>> The instructions are clear and I didn't had a problem to install it.
>>
>> Martin
>>
>> On 25/03/2012 5:18 PM, John Boyle wrote:
>>
>>> On 3/22/2012 6:16 AM, Rob Weir wrote:
>>>
>>>> Please note, this is the official security bulletin, targeted for
>>>> security professionals.  If you are an OpenOffice.org 3.3 user, and
>>>> are able to apply the mentioned patch, then you are encouraged to do
>>>> so.  If someone else supports or manages your desktop, then please
>>>> forward this information to them.
>>>>
>>>> Additional support is available on our Community Forums:
>>>>
>>>> http://user.services.**openoffice.org/<http://user.services.openoffice.org/>
>>>>
>>>> And via our ooo-users mailing list:
>>>>
>>>> http://incubator.apache.org/**openofficeorg/mailing-lists.**
>>>> html#users-mailing-list<http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list>
>>>>
>>>> Note:  This security patch for OpenOffice.org is made available to
>>>> legacy OpenOffice.org users as a service by the Apache OpenOffice
>>>> Project Management Committee.  The patch is made available under the
>>>> Apache License, and due to its importance, we are releasing it outside
>>>> of the standard release cycle.
>>>>
>>>> -Rob
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> CVE-2012-0037: OpenOffice.org data leakage vulnerability
>>>>
>>>> Severity: Important
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
>>>> Earlier versions may be also affected.
>>>>
>>>> Description: An XML External Entity (XXE) attack is possible in the
>>>> above versions of OpenOffice.org.  This vulnerability exploits the way
>>>> in
>>>> which external entities are processed in certain XML components of ODF
>>>> documents.  By crafting an external entity to refer to other local
>>>> file system
>>>> resources, an attacker would be able to inject contents of other
>>>> locally- accessible files into the ODF document, without the user's
>>>> knowledge or permission.  Data leakage then becomes possible when that
>>>> document is later distributed to other parties.
>>>>
>>>> Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
>>>> patch at:  http://www.openoffice.org/**security/cves/CVE-2012-0037.**
>>>> html <http://www.openoffice.org/security/cves/CVE-2012-0037.html>
>>>>
>>>> This vulnerability is also fixed in Apache OpenOffice 3.4 dev
>>>> snapshots since March 1st, 2012.
>>>>
>>>> Source and Building: Information on obtaining the source code for this
>>>> patch, and for porting it or adapting it to OpenOffice.org derivatives
>>>> can be found here: http://www.openoffice.org/**
>>>> security/cves/CVE-2012-0037-**src.txt<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>
>>>>
>>>> Credit: The Apache OpenOffice project acknowledges and thanks the
>>>> discoverer of this issue, Timothy D. Morgan of Virtual Security
>>>> Research, LLC.
>>>>
>>>> References: http://security.openoffice.org
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>>
>>>> iQIcBAEBCgAGBQJPayGmAAoJEGFAoY**dHzLzHJVcP/jXzY+**ROwPTAaSItCc4GAn2q
>>>> Gm3uL9D9aRrs/pp+**sofRkF9L3nyWEyyVfvZv6+IBrqOU/**2Tu1CD8cY6Kns1ZYxVO
>>>> ZRDiR5hhr3pA6KfWlb9W9it/**8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7k**loPYswXG2w
>>>> By2J19VanlHuwLQJoNV08652HBDy2X**pa6Wk7N5NoyETILOS47QTgizjAYZ2A**Y0GE
>>>> ykBFu9A9yblLM5zftuMT/**4FxkHQ8Qx5I3NmV3V8cUgJlmbc2osc**sC23iIPcoulJF
>>>> GSn8tub/e47xzgpJy69NoHgzmb6Ou+**J3BDXr0kmH008P6FaTpTgPTltZ8Fcu**a+T2
>>>> JSWjzW5IBOW/20J9RN+**5lkDJQTY5FiqqpjV7H6bZV3+**MVx3Fk/ih1uJPr2cVZqaT
>>>> pDU5xtn79py7MNsmpjnzD7mPbdiA2O**fStzFpqUM60HOki7RgGpozvUPEvA0u**Iss9
>>>> X/**jP1KixPDdbGS2fMrM7KG9mnT8BOzwo**w0Vti7alP2x2BkTXZm2K/**qflXJDFCxTn
>>>> g23OJIxlnhC8cK4etyezWNMSya4LLM**gz6ZO+**TEdvCSaaF6b3t6seskgnFAMcdPHY
>>>> bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+**cTE7sUO2NcFhHn6jXaiZFEatdh4XJE**EcTXl
>>>> OZE/3v6XnehMD/32kipa
>>>> =/qce
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>>
>>>>
>>>>  To Rob Weir: I have been a user of computers since the TRS 80 from
>>> Tandy and a user of OpenOffice for I don't know how many years! The asinine
>>> patch that was put out to be installed was badly done and I cannot use it
>>> whatsoever! Now, if someone cannot get it to their heads that a patch must
>>> be a simple install from the get go, then they are going to lose users of
>>> open office for their arrogance. A four-part Idiotic message claiming to
>>> give you a patch is actually totally worthless! Have you ever heard of the
>>> DUMMIES books and method of approach to this problem?:-( :-( :-(
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>>
>>>
>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
>> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>>
>>
>>  To Rob and Martin: I had no intention of being Impolite, but I never
> found any third page I keep hearing about and cannot figure how to install
> the patch! I was just asking if there wasn't a simpler way or where the
> heck was the patch at? I can't figure it out from what you've gotten And I
> started with computers on a TRS 80 computer. I simply would like to get my
> OpenOffice patched correctly and am asking if it's at all possible?:-\
>
>
>

Hi John.

Let's break it down.

See the original note, where I wrote;

"Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
patch at:  http://www.openoffice.org/security/cves/CVE-2012-0037.html"

Start with that page.  Load that URL in your browser.

Then on that page you will see something that says, "OpenOffice.org 3.3.0
and 3.4 beta users can patch their installation with the following patches.
Download, unzip and follow the instructions in the enclosed readme.pdf
file."

Right below that there are two links, one labeled "For Windows" and the
other "For MacOS".   Download the appropriate one, unzip and load the
readme.pdf inside.  If you are not able to unzip or read a PDF file then
let me know.

The readme.pdf file has its own instructions, with pictures, which should
make the remaining steps clear.  But let me know if you have further
questions.

-Rob




> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: ooo-users-unsubscribe@**incubator.apache.org<ooo-users-unsubscribe@incubator.apache.org>
> For additional commands, e-mail: ooo-users-help@incubator.**apache.org<ooo-users-help@incubator.apache.org>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message