incubator-ooo-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date Sun, 29 Apr 2012 21:11:30 GMT
On Sun, Apr 29, 2012 at 5:09 PM, Ariel Constenla-Haile
<arielch@apache.org> wrote:
> On Sun, Apr 29, 2012 at 04:42:22PM -0400, Rob Weir wrote:
>> >> >> The library is inside the following package:
>> >> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
>> >> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb
>> >> >
>> >> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32
>> >> > bit and 64 bit) :-) Thanks.
>> >> ...
>> >>
>> >> No crashes etc. Is there a way that I can test to see if this
>> >> modification actually is working?
>> >
>> > A general test, like the one you performed, tests that the library can
>> > be loaded (no missing symbols) and its functionality executed (I could
>> > even provide some OOo basic code that directly uses the UNO component in
>> > that library).
>> >
>> > There is a document to test the actual vulnerability, but it is only
>> > accesible to members of the AOO security mailing list (due to the
>> > obvious reasons). I quote a mail from the development mailing list:
>> >
>> >
>> >> For #3, I'm sure many of us can help.  We have a proof of concept file
>> >> that shows the exploit that we can test against, but we need to take
>> >> extreme measures to ensure that filed is not publicly disclosed.
>> >
>> > I tested on
>> >
>> > Fedora 16 - 64 bits
>> > Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
>> > Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits
>> >
>> > The problem is that I couldn't reproduce the issue: OOo 3.3 simply
>> > *crashes* when trying to open the bug document lin.odt (the report says
>> > it should perform some malicious actions).
>> >
>> > The good news is that replacing the old library with the patched library
>> > solves the crash, and does not reproduce the vulnerability issue.
>> >
>> > I am not sure if anyone has been able to reproduce the issue on Linux
>> > with OOo 3.3. May be we can give you the file to test it, it would be
>> > nice to have someone else testing it. If someone knows we are able to do
>> > so, please let us know.
>> >
>>
>> Absolutely not.  The test exploit file must *not* be shared.
>
> That's what I guessed. So how will we proceed? I couldn't reproduce the
> exploit in any of the three distros I tried, OOo 3.3 only crashes but
> does not exploit as expected.
>

This the kind of thing we should probably discuss on the ooo-security list.

-Rob

> We have the solution (the library from AOO RC1 can be used as
> a replacement), but IMO we need some more testing with the test exploit
> file.
>
>
> Regards
> --
> Ariel Constenla-Haile
> La Plata, Argentina

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org


Mime
View raw message