incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 22 Apr 2012 12:36:50 GMT
Although free-standing Linux patches remain unavailable for pre-Apache OpenOffice distributions,
a platform distribution containing the repair has appeared.  

Here is how the Mandriva update was announced:
<http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:062>.

Mandriva issued patched versions of their supported distributions for OpenOffice.org, LibreOffice,
and the common library that is the source of the vulnerability.  There are separate Mandriva
advisories for each.

 - Dennis

-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] 
Sent: Thursday, April 19, 2012 10:46
To: ooo-users@incubator.apache.org
Subject: RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability

PS: On March 22, when notice of the CVE was made in various places (e.g., 
<http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086237.html>),
that information not only linked to the two available pre-build patches but also included
a link to this information on how to find the source code that could be adapted to patching
any other related release: 
<http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>.

This is not an end-user Linux solution, but it is an available open-source solution.


-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org] 
<http://mail-archives.apache.org/mod_mbox/incubator-ooo-users/201204.mbox/%3c003101cd1dd9$f63ddad0$e2b99070$@acm.org%3e>
Sent: Wednesday, April 18, 2012 20:10
To: ooo-users@incubator.apache.org
Subject: RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability

[ ... ]
  
It is the case that a Linux patch has not been produced.  It is my understanding that it was
thought sufficient for the source code for the patch (which is ALv2 licensed) to end up being
built into Linux distributions as the part of Linux vendors making full builds for their custom
distributions.  When it was pointed out that many installations of OpenOffice.org on Linux
are downloaded and installed directly by end-users (and many Linux distributions include different
OpenOffice-lineage software [for which patched releases were already available]), there was
a call on ooo-dev for some Linux mavens to pitch in to pull together a patch for Linux.  I
think a few raised their hands.  I know of no further action.

[ ... ]


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message