Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-users@incubator.apache.org
Date: Mon, 23 Apr 2012 18:00:59 -0300
From: Ariel Constenla-Haile <arielch@apache.org>
To: ooo-users@incubator.apache.org
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Message-ID: <20120423210059.GA23187@localhost>
References: <1332502617.21672.20.camel@dan-ubuntu>
 <4F6CCCE3.2080302@sbcglobal.net>
 <3F211FCA-D9E0-4A72-B702-5334F3A1A6A7@comcast.net>
 <4F6CE71A.4020407@sbcglobal.net>
 <CAP-ksohkDvffeqxe0fbvH986whR+gjei4yoVGN9y7yg8vQaKXw@mail.gmail.com>
 <jmnnq8$6p7$1@dough.gmane.org>
 <003101cd1dd9$f63ddad0$e2b99070$@acm.org>
 <01a901cd1e54$4ac6ef90$e054ceb0$@acm.org>
 <005501cd2084$980811d0$c8183570$@acm.org>
 <jn48ou$tkd$1@dough.gmane.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk"
Content-Disposition: inline
In-Reply-To: <jn48ou$tkd$1@dough.gmane.org>
User-Agent: Mutt/1.5.21 (2010-09-15)

--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Hi Gary, *,

a little background: I'm the one who is currently building the RC Linux
packages.

On Mon, Apr 23, 2012 at 11:58:36AM -0700, NoOp wrote:
> On 04/22/2012 05:36 AM, Dennis E. Hamilton wrote:
> > Although free-standing Linux patches remain unavailable for
> > pre-Apache OpenOffice distributions, a platform distribution
> > containing the repair has appeared.
> >=20
> > Here is how the Mandriva update was announced:=20
> > <http://www.mandriva.com/en/support/security/advisories/?dis=3Dmes5&nam=
e=3DMDVSA-2012:062>.
> >
> >  Mandriva issued patched versions of their supported distributions
> > for OpenOffice.org, LibreOffice, and the common library that is the
> > source of the vulnerability.  There are separate Mandriva advisories
> > for each.
> >=20
> > - Dennis
> ...
> Good for them. They distributed those versions of OOo & have taken a
> responsible action. Just as Mandriva distributed those versions to
> users, OOo (now AOO) distributed OpenOffice.org 3.3 and 3.4 Beta (and
> earlier), on all platforms:the ones with the existing vulnerability.
>=20
> AOO continue to distribute 3.3.0, (3.2.1, 3.2.0 for some languages):
> http://www.openoffice.org/download/other.html
>=20
> So we must assume that *all* of those versions on that page have been
> patched...=20

AFAIK Windows and MacOS versions are not patched.

> otherwise AOO continue to provide packages with a 'important'
> security vulnerability. Based on that 'assumption', I'll download &
> reinstall 3.3.0 from that page & reinstall over my existing OOo 3.3.0
> (deb, rmp, and Windows) versions. I'll then have a fully patched 3.3.0
> version... right? If that is not the case, then I suggest that AOO
> either pull those versions that have not been patched, or at the very
> least provide a strong warning that the code has an 'important' security
> vulnerability, on the download pages:
> http://www.openoffice.org/download/index.html
> http://www.openoffice.org/download/other.html
> and any other place where the program can be downloaded from directly
> (i.e., SF).
>=20
> A "responsible" distributor of such code might take a hint from:
> http://www.oracle.com/technetwork/java/javase/downloads/index.html
> "Java SE 6 Update 31
> This release includes security fixes. Learn more"
> and only provide unpatched code in a different location, with a warning:
> http://www.oracle.com/technetwork/java/archive-139210.html
> "WARNING: These older versions of the JRE and JDK are provided to help
> developers debug issues in older systems. They are not updated with the
> latest security patches and are not recommended for use in production."


Warning: I did little testing on the following, so backup the library
(and your data) before doing your own tests.

AFAIK the solution is rather simple, because the library with the
vulnerability is a UNO component, so it uses stable interfaces: you can
simply copy the library from the AOO RC1 in your OOo 3.3 installation.
The library is /opt/openoffice.org/basis3.4/program/libunordf.so

Note that libraries in Linux used to have a postfix that was removed in
AOO, so adjust the library name (and before, do a backup):


Do the back-up:
Linux 64 bits:
]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordflx.so /opt/openoff=
ice.org/basis3.3/program/libunordflx.so.bk
Linux 32 bits:
]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordfli.so /opt/openoff=
ice.org/basis3.3/program/libunordfli.so.bk

Copy the library:
In Linux 64 bits
]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordfl=
x.so
In Linux 32 bits
]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordfl=
i.so

My tests worked fine on Linux 32 and 64 bits.
More people testing is welcome.


Regards
--=20
Ariel Constenla-Haile
La Plata, Argentina

--UugvWAfsgieZRqgk
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPlcMLAAoJEMjP1bm45QNW+s4QAJpZ55W1T1ZvIIxNioKGl6si
MXGueoT0gP+gaJ0N8wq772BlTWAZc2LDlBTlltjIPKSvO86NJPfvp/qwzjYZ5YbB
DPzTrd7LeH9aqWfXEpfRpXNysYen/fKyc0Aq9tcV7J0gSS8RFmC34EBe/9JY0wIZ
S5q643YyT8VYOl9OyZkqRcFFiPzdGt8M3n5Y/q8oMEHrYMgh6Kj4w7zUf+pYHUtk
QMpLdOz8uULO6zo+Gana8sq0cEXo85PkBDnsFiCLtj6htRQz5p1Ypc7o1GmwyDy7
cWR3E2xZDRyXEKnuq+r3KbRokTnKi0ehuxjwL+ksEtZeyrs9wEB250tPJ4C+rv+J
Cy4ConTmGGHg7OQQcujnhttvCqEQCynXhxCOl5BR08LUO0bhTVBL/F/VOGfB4sag
M+wq5REzkZ94mOyIFwLy2iW3aUR2VCRM+w18/Us6WdYEz3vFdF4/PJ+PJNdYv+Mu
5Mgk3SBPMWUCo7lY3WURAL90jM7/BCTGYi3yP5rq+dHMjJsIMg9ADtoAiOkzqQJd
5HxiVFYhOZpz47I0kURi5LBjfbqhxVq8gVGdJLxxcW+imZL/CC/iwdkdAwI7oksu
Bc69JRIXmfwLB9vz3W1VL2LVgzAajBbENb5802PPGRnVQap8qQgpYbVXmvbqw/Vs
3LAepFP6XZ8YBHvpLFhf
=9RuF
-----END PGP SIGNATURE-----

--UugvWAfsgieZRqgk--