incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Thu, 19 Apr 2012 03:10:22 GMT
There has been no discussion of any sort of Linux triage regarding CVE-2012-0037 that I am
aware of.

It is not unusual for CVEs to sit in limbo like that.  I have no idea who recorded this particular
CVE.  In any case, the updating of the CVE is different than when and where there is a mitigation.

You know from watching the effort that produces developer snapshots that Linux is included.
 It is also easy to confirm that a buildbot builds for Linux every night.  And the packaging
of candidates for release of Apache OpenOffice 3.4.0 includes full Linux sets.  See 
< https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots>
and
<https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+%28incubating%29+Release+Candidate>

  
It is the case that a Linux patch has not been produced.  It is my understanding that it was
thought sufficient for the source code for the patch (which is ALv2 licensed) to end up being
built into Linux distributions as the part of Linux vendors making full builds for their custom
distributions.  When it was pointed out that many installations of OpenOffice.org on Linux
are downloaded and installed directly by end-users (and many Linux distributions include different
OpenOffice-lineage software [for which patched releases were already available]), there was
a call on ooo-dev for some Linux mavens to pitch in to pull together a patch for Linux.  I
think a few raised their hands.  I know of no further action.

To issue a patch for Windows was easy in a particular way: a single DLL was rebuilt from entirely-Apache-licensed
code that now exists.  Even then, extraordinary measures were required to make it available
outside of the Apache requirements for an approved release.  Not being a Linux developer myself,
I don't know if there was a similar opportunity and I don't know if a similar exception is
available. I presume so, since there was a Macintosh patch, but I am no expert.

All of the current developer snapshots and potential release candidates have the fix, including
for Linux.  But these are not releases.  I would not be surprised to learn that the developers
expected an AOO 3.4 release to have been available by now and achieving that has commanded
all of the attention.  I am guessing, of course.  

 - Dennis



-----Original Message-----
From: NoOp [mailto:glgxg@sbcglobal.net] 
Sent: Wednesday, April 18, 2012 17:56
To: ooo-users@incubator.apache.org
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability

On 03/23/2012 02:17 PM, Rob Weir wrote:
> On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr
> <girvin.herr@sbcglobal.net> wrote:
>> Dave,
>> Thanks for the quick, encouraging response.
>> I thought this security patch was part of an Apache effort and sanction.  I
>> was not aware that it was produced by a 3rd party without Apache support.
> 
> That's a logical leap without basis.  It is possible for a small group
> at Apache to have produced the patch and for there to be no policy
> against Linux.  In fact both statements are true.
> 
> Remember, we're not a commercial software vendor. Apache is a
> non-profit, run by volunteers.  If volunteers wish to make a Linux
> patch, then they will.  And it appears they will.  We've certainly
> been building and testing OpenOffice 3.4 for Linux.  If there are
> volunteers for Solaris, BSD, OS/2 or whatever, those patches will also
> appear.  The Apache license allows anyone to take this code and build
> it on whatever platform they want.
> 
>>  My apologies to all. I will still keep an eye on it, but I am relieved that
>> the Linux omission was not a result of Apache policy.
> 
> Again, policy has nothing to do with this.
...

Really? Then perhaps you can tell us were to find the linux patch. It's
now April 18. AOO couldn't figure out a linux patch in all that time?

Is there a different mirror than:
<http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/>
with the linux patch(s)?

Seems pretty sad that AOO are unable to provide a linux patch when the
Windows and Mac patches were provided 21 March.  Makes one wonder if
Apache even plan to support linux AOO. Particularly given this statement:

"Linux and other platforms should consult their distro or OS vendor for
patch instructions."

on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>.

BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is
still showing:
CVE-2012-0037
(under review)
"** RESERVED ** This candidate has been reserved by an organization or
individual that will use it when announcing a new security problem. When
the candidate has been publicized, the details for this candidate will
be provided. "
Nor is there any mention of that CVE here:
<https://incubator.apache.org/openofficeorg/security.html>
So perhaps it really isn't something to worry about afterall.




---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message