Return-Path: 
 <ooo-users-return-1218-apmail-incubator-ooo-users-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-ooo-users-archive@minotaur.apache.org
Delivered-To: apmail-incubator-ooo-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 58D69992D
	for <apmail-incubator-ooo-users-archive@minotaur.apache.org>;
 Tue, 24 Apr 2012 02:07:29 +0000 (UTC)
Received: (qmail 88618 invoked by uid 500); 24 Apr 2012 02:07:29 -0000
Delivered-To: apmail-incubator-ooo-users-archive@incubator.apache.org
Received: (qmail 88578 invoked by uid 500); 24 Apr 2012 02:07:29 -0000
Mailing-List: contact ooo-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:ooo-users-help@incubator.apache.org>
List-Unsubscribe: <mailto:ooo-users-unsubscribe@incubator.apache.org>
List-Post: <mailto:ooo-users@incubator.apache.org>
List-Id: <ooo-users.incubator.apache.org>
Reply-To: ooo-users@incubator.apache.org
Delivered-To: mailing list ooo-users@incubator.apache.org
Received: (qmail 88569 invoked by uid 99); 24 Apr 2012 02:07:29 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Apr 2012 02:07:29 +0000
X-ASF-Spam-Status: No, hits=1.0 required=5.0
	tests=HK_RANDOM_FROM,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of gcaiou-ooo-users@m.gmane.org
 designates 80.91.229.3 as permitted sender)
Received: from [80.91.229.3] (HELO plane.gmane.org) (80.91.229.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Apr 2012 02:07:21 +0000
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <gcaiou-ooo-users@m.gmane.org>)
	id 1SMV9e-0003j7-Av
	for ooo-users@incubator.apache.org; Tue, 24 Apr 2012 04:06:58 +0200
Received: from adsl-69-228-91-119.dsl.pltn13.pacbell.net ([69.228.91.119])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ooo-users@incubator.apache.org>; Tue, 24 Apr 2012 04:06:58 +0200
Received: from glgxg by adsl-69-228-91-119.dsl.pltn13.pacbell.net with local
 (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ooo-users@incubator.apache.org>; Tue, 24 Apr 2012 04:06:58 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: ooo-users@incubator.apache.org
From: NoOp <glgxg@sbcglobal.net>
Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability
Date: Mon, 23 Apr 2012 19:06:44 -0700
Lines: 38
Message-ID: <jn51rl$ncc$1@dough.gmane.org>
References: <1332502617.21672.20.camel@dan-ubuntu>
 <4F6CCCE3.2080302@sbcglobal.net>
 <3F211FCA-D9E0-4A72-B702-5334F3A1A6A7@comcast.net>
 <4F6CE71A.4020407@sbcglobal.net>
 <CAP-ksohkDvffeqxe0fbvH986whR+gjei4yoVGN9y7yg8vQaKXw@mail.gmail.com>
 <jmnnq8$6p7$1@dough.gmane.org> <003101cd1dd9$f63ddad0$e2b99070$@acm.org>
 <01a901cd1e54$4ac6ef90$e054ceb0$@acm.org>
 <005501cd2084$980811d0$c8183570$@acm.org> <jn48ou$tkd$1@dough.gmane.org>
 <20120423210059.GA23187@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: adsl-69-228-91-119.dsl.pltn13.pacbell.net
User-Agent: Mozilla/5.0 (X11; Linux i686;
 rv:11.0) Gecko/20120312 Firefox/11.0 SeaMonkey/2.8
In-Reply-To: <20120423210059.GA23187@localhost>
X-Enigmail-Version: 1.4.1
X-Virus-Checked: Checked by ClamAV on apache.org

On 04/23/2012 02:00 PM, Ariel Constenla-Haile wrote:
...
> 
> Warning: I did little testing on the following, so backup the library
> (and your data) before doing your own tests.
> 
> AFAIK the solution is rather simple, because the library with the
> vulnerability is a UNO component, so it uses stable interfaces: you can
> simply copy the library from the AOO RC1 in your OOo 3.3 installation.
> The library is /opt/openoffice.org/basis3.4/program/libunordf.so
> 
> Note that libraries in Linux used to have a postfix that was removed in
> AOO, so adjust the library name (and before, do a backup):
> 
> 
> Do the back-up:
> Linux 64 bits:
> ]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordflx.so /opt/openoffice.org/basis3.3/program/libunordflx.so.bk
> Linux 32 bits:
> ]$ sudo mv /opt/openoffice.org/basis3.3/program/libunordfli.so /opt/openoffice.org/basis3.3/program/libunordfli.so.bk
> 
> Copy the library:
> In Linux 64 bits
> ]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordflx.so
> In Linux 32 bits
> ]$ sudo cp -fv libunordf.so /opt/openoffice.org/basis3.3/program/libunordfli.so
> 
> My tests worked fine on Linux 32 and 64 bits.
> More people testing is welcome.

Thanks Ariel! I'll try to test tomorrow. Currently the 3.4 versions:
<https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots>
install into the same location as OOo 3.3.0 (/opt/openoffice.org3)
instead of /opt/openoffice.org3.4/. So, I'll need to do complete
parallel installs in order to test properly. Note: I could just as
easily extract the .so from the .deb if I knew which one(s).

Gary


---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org