openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Officially releasing a patch for CVE-2016-1513
Date Fri, 12 Aug 2016 21:48:26 GMT


> -----Original Message-----
> From: Don Lewis [mailto:truckman@apache.org]
> Sent: Friday, August 12, 2016 14:09
> To: dev@openoffice.apache.org
> Cc: dennis.hamilton@acm.org
> Subject: Re: Officially releasing a patch for CVE-2016-1513
> 
> On 12 Aug, Dennis E. Hamilton wrote:
> > Don,
> >
> > Having worked through the 4.1.2-patch1 (CVE-2016-1513 remediation) for
> > Windows, I learned a few more things about what can be done.
[ ... ]
> > [orcmid]
> >
> > There are hashes and a signature for the Zip that contains the patch
> > and any procedure.
> >
> > In the Windows case, the copies of the original distributed tl.dll and
> > the patched one each have detached signatures inside the Zip as well.
> > No hashes have been added there, on the assumption that checking the
> > Zip is good enough.
> 
> That sounds reasonable.  Checking the zip before unpacking is important
> to prevent attacks against zip itself or to prevent unpacking some other
> sort of malware.
> 
> This issue recently came up with FreeBSD, see:
> <http://docs.freebsd.org/cgi/mid.cgi?20160810115813.GA86720>
[orcmid] 

Thanks.  I admire the demonstration of care, and the quality of the responses where concerns
were raised.


[ ... ]
> > Finally, it is not possible to check dates easily using a .bat script
> > on Windows.
> >
> > This is all resolved in the current 0.1.0 beta of the 4.1.2-patch1 for
> > Windows by literally comparing files, rather than checking their dates
> > and it is done without depending on signature computation tools being
> > available on the machine.
> >
> > That's how the procedure determines whether the patch file has already
> > been applied or not.
> 
> That also sounds reasonable.  What tool do you use for the file
> comparison?
[orcmid] 

The File Compare utility, FC, is built into all releases of Microsoft Windows.  It is basically
a standard external command of the cmd.exe console shell.  The .bat scripts use it to silently
compare and then use the result codes to branch depending on what the level of result code
is.

 - Dennis


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message