incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ariel Constenla-Haile <>
Subject Re: CVE-2012-0037: data leakage vulnerability
Date Sun, 29 Apr 2012 20:14:36 GMT
Hi Gary,

On Sun, Apr 29, 2012 at 12:24:11PM -0700, NoOp wrote:
> On 04/26/2012 01:36 PM, NoOp wrote:
> > On 04/24/2012 03:50 AM, Ariel Constenla-Haile wrote:
> ...
> >> 
> >> The library is inside the following package:
> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb
> > 
> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32
> > bit and 64 bit) :-) Thanks.
> ...
> No crashes etc. Is there a way that I can test to see if this
> modification actually is working?

A general test, like the one you performed, tests that the library can
be loaded (no missing symbols) and its functionality executed (I could
even provide some OOo basic code that directly uses the UNO component in
that library).

There is a document to test the actual vulnerability, but it is only
accesible to members of the AOO security mailing list (due to the
obvious reasons). I quote a mail from the development mailing list:

> For #3, I'm sure many of us can help.  We have a proof of concept file
> that shows the exploit that we can test against, but we need to take
> extreme measures to ensure that filed is not publicly disclosed.

I tested on

Fedora 16 - 64 bits
Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits

The problem is that I couldn't reproduce the issue: OOo 3.3 simply
*crashes* when trying to open the bug document lin.odt (the report says
it should perform some malicious actions).

The good news is that replacing the old library with the patched library
solves the crash, and does not reproduce the vulnerability issue.

I am not sure if anyone has been able to reproduce the issue on Linux
with OOo 3.3. May be we can give you the file to test it, it would be
nice to have someone else testing it. If someone knows we are able to do
so, please let us know.

I ping Rob, here on CC.

Ariel Constenla-Haile
La Plata, Argentina

View raw message