Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: ooo-users@incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <20120429210939.GA3827@localhost>
References: <01a901cd1e54$4ac6ef90$e054ceb0$@acm.org>
	<005501cd2084$980811d0$c8183570$@acm.org>
	<jn48ou$tkd$1@dough.gmane.org>
	<20120423210059.GA23187@localhost>
	<jn51rl$ncc$1@dough.gmane.org>
	<20120424105049.GA418@localhost>
	<jncbk4$l5m$1@dough.gmane.org>
	<jnk4gs$qph$1@dough.gmane.org>
	<20120429201436.GA13618@localhost>
	<CAP-ksogiT61PrX4Tn2mF-egM9X8tOiWtQm1rjkUjJo6NBMTwwg@mail.gmail.com>
	<20120429210939.GA3827@localhost>
Date: Sun, 29 Apr 2012 17:11:30 -0400
Message-ID: 
 <CAP-ksoh7xm0B9B7-b5UtRS6_wgU3A9J76+2KJmcjLRQa3FYPZg@mail.gmail.com>
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
From: Rob Weir <robweir@apache.org>
To: ooo-users@incubator.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, Apr 29, 2012 at 5:09 PM, Ariel Constenla-Haile
<arielch@apache.org> wrote:
> On Sun, Apr 29, 2012 at 04:42:22PM -0400, Rob Weir wrote:
>> >> >> The library is inside the following package:
>> >> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb
>> >> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb
>> >> >
>> >> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (=
32
>> >> > bit and 64 bit) :-) Thanks.
>> >> ...
>> >>
>> >> No crashes etc. Is there a way that I can test to see if this
>> >> modification actually is working?
>> >
>> > A general test, like the one you performed, tests that the library can
>> > be loaded (no missing symbols) and its functionality executed (I could
>> > even provide some OOo basic code that directly uses the UNO component =
in
>> > that library).
>> >
>> > There is a document to test the actual vulnerability, but it is only
>> > accesible to members of the AOO security mailing list (due to the
>> > obvious reasons). I quote a mail from the development mailing list:
>> >
>> >
>> >> For #3, I'm sure many of us can help. =C2=A0We have a proof of concep=
t file
>> >> that shows the exploit that we can test against, but we need to take
>> >> extreme measures to ensure that filed is not publicly disclosed.
>> >
>> > I tested on
>> >
>> > Fedora 16 - 64 bits
>> > Ubuntu 11.10 (Oneiric Ocelot) - 64 bits
>> > Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits
>> >
>> > The problem is that I couldn't reproduce the issue: OOo 3.3 simply
>> > *crashes* when trying to open the bug document lin.odt (the report say=
s
>> > it should perform some malicious actions).
>> >
>> > The good news is that replacing the old library with the patched libra=
ry
>> > solves the crash, and does not reproduce the vulnerability issue.
>> >
>> > I am not sure if anyone has been able to reproduce the issue on Linux
>> > with OOo 3.3. May be we can give you the file to test it, it would be
>> > nice to have someone else testing it. If someone knows we are able to =
do
>> > so, please let us know.
>> >
>>
>> Absolutely not. =C2=A0The test exploit file must *not* be shared.
>
> That's what I guessed. So how will we proceed? I couldn't reproduce the
> exploit in any of the three distros I tried, OOo 3.3 only crashes but
> does not exploit as expected.
>

This the kind of thing we should probably discuss on the ooo-security list.

-Rob

> We have the solution (the library from AOO RC1 can be used as
> a replacement), but IMO we need some more testing with the test exploit
> file.
>
>
> Regards
> --
> Ariel Constenla-Haile
> La Plata, Argentina

---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org