incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 29 Apr 2012 20:42:22 GMT
On Sun, Apr 29, 2012 at 4:14 PM, Ariel Constenla-Haile
<arielch@apache.org> wrote:
> Hi Gary,
>
> On Sun, Apr 29, 2012 at 12:24:11PM -0700, NoOp wrote:
>> On 04/26/2012 01:36 PM, NoOp wrote:
>> > On 04/24/2012 03:50 AM, Ariel Constenla-Haile wrote:
>> ...
>> >>
>> >> The library is inside the following package:
>> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
>> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb
>> >
>> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32
>> > bit and 64 bit) :-) Thanks.
>> ...
>>
>> No crashes etc. Is there a way that I can test to see if this
>> modification actually is working?
>
> A general test, like the one you performed, tests that the library can
> be loaded (no missing symbols) and its functionality executed (I could
> even provide some OOo basic code that directly uses the UNO component in
> that library).
>
> There is a document to test the actual vulnerability, but it is only
> accesible to members of the AOO security mailing list (due to the
> obvious reasons). I quote a mail from the development mailing list:
>
>
>> For #3, I'm sure many of us can help.  We have a proof of concept file
>> that shows the exploit that we can test against, but we need to take
>> extreme measures to ensure that filed is not publicly disclosed.
>
> I tested on
>
> Fedora 16 - 64 bits
> Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
> Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits
>
> The problem is that I couldn't reproduce the issue: OOo 3.3 simply
> *crashes* when trying to open the bug document lin.odt (the report says
> it should perform some malicious actions).
>
> The good news is that replacing the old library with the patched library
> solves the crash, and does not reproduce the vulnerability issue.
>
> I am not sure if anyone has been able to reproduce the issue on Linux
> with OOo 3.3. May be we can give you the file to test it, it would be
> nice to have someone else testing it. If someone knows we are able to do
> so, please let us know.
>

Absolutely not.  The test exploit file must *not* be shared.

-Rob

> I ping Rob, here on CC.
>



>
> Regards
> --
> Ariel Constenla-Haile
> La Plata, Argentina

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message