incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ariel Constenla-Haile <arie...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 29 Apr 2012 21:09:39 GMT
On Sun, Apr 29, 2012 at 04:42:22PM -0400, Rob Weir wrote:
> >> >> The library is inside the following package:
> >> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
> >> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb
> >> >
> >> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32
> >> > bit and 64 bit) :-) Thanks.
> >> ...
> >>
> >> No crashes etc. Is there a way that I can test to see if this
> >> modification actually is working?
> >
> > A general test, like the one you performed, tests that the library can
> > be loaded (no missing symbols) and its functionality executed (I could
> > even provide some OOo basic code that directly uses the UNO component in
> > that library).
> >
> > There is a document to test the actual vulnerability, but it is only
> > accesible to members of the AOO security mailing list (due to the
> > obvious reasons). I quote a mail from the development mailing list:
> >
> >
> >> For #3, I'm sure many of us can help.  We have a proof of concept file
> >> that shows the exploit that we can test against, but we need to take
> >> extreme measures to ensure that filed is not publicly disclosed.
> >
> > I tested on
> >
> > Fedora 16 - 64 bits
> > Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
> > Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits
> >
> > The problem is that I couldn't reproduce the issue: OOo 3.3 simply
> > *crashes* when trying to open the bug document lin.odt (the report says
> > it should perform some malicious actions).
> >
> > The good news is that replacing the old library with the patched library
> > solves the crash, and does not reproduce the vulnerability issue.
> >
> > I am not sure if anyone has been able to reproduce the issue on Linux
> > with OOo 3.3. May be we can give you the file to test it, it would be
> > nice to have someone else testing it. If someone knows we are able to do
> > so, please let us know.
> >
> 
> Absolutely not.  The test exploit file must *not* be shared.

That's what I guessed. So how will we proceed? I couldn't reproduce the
exploit in any of the three distros I tried, OOo 3.3 only crashes but
does not exploit as expected.

We have the solution (the library from AOO RC1 can be used as
a replacement), but IMO we need some more testing with the test exploit
file.


Regards
-- 
Ariel Constenla-Haile
La Plata, Argentina

Mime
View raw message