incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ariel Constenla-Haile <arie...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Tue, 24 Apr 2012 10:50:49 GMT
Hi Gary,

On Mon, Apr 23, 2012 at 07:06:44PM -0700, NoOp wrote:
> On 04/23/2012 02:00 PM, Ariel Constenla-Haile wrote:
> ...
> > 
> > Warning: I did little testing on the following, so backup the library
> > (and your data) before doing your own tests.
> > 
> > AFAIK the solution is rather simple, because the library with the
> > vulnerability is a UNO component, so it uses stable interfaces: you can
> > simply copy the library from the AOO RC1 in your OOo 3.3 installation.
> > The library is /opt/openoffice.org/basis3.4/program/libunordf.so
> > 
> > Note that libraries in Linux used to have a postfix that was removed in
> > AOO, so adjust the library name (and before, do a backup):
> > 
> > 
> > Do the back-up:
> > Linux 64 bits:
> > ]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordflx.so /opt/openoffice.org/basis3.3/program/libunordflx.so.bk
> > Linux 32 bits:
> > ]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordfli.so /opt/openoffice.org/basis3.3/program/libunordfli.so.bk
> > 
> > Copy the library:
> > In Linux 64 bits
> > ]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordflx.so
> > In Linux 32 bits
> > ]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordfli.so
> > 
> > My tests worked fine on Linux 32 and 64 bits.
> > More people testing is welcome.
> 
> Thanks Ariel! I'll try to test tomorrow. Currently the 3.4 versions:
> <https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots>
> install into the same location as OOo 3.3.0 (/opt/openoffice.org3)
> instead of /opt/openoffice.org3.4/. So, I'll need to do complete
> parallel installs in order to test properly. Note: I could just as
> easily extract the .so from the .deb if I knew which one(s).

The library is inside the following package:
64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb

You can download the libraries (with the name already modified) from:

http://people.apache.org/~arielch/CVE-2012-0037.zip
http://people.apache.org/~arielch/CVE-2012-0037.zip.asc


Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina

Mime
View raw message