Return-Path: X-Original-To: apmail-openoffice-dev-archive@www.apache.org Delivered-To: apmail-openoffice-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C74921994B for ; Thu, 7 Apr 2016 17:26:11 +0000 (UTC) Received: (qmail 86620 invoked by uid 500); 7 Apr 2016 17:26:06 -0000 Delivered-To: apmail-openoffice-dev-archive@openoffice.apache.org Received: (qmail 86540 invoked by uid 500); 7 Apr 2016 17:26:06 -0000 Mailing-List: contact dev-help@openoffice.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openoffice.apache.org Delivered-To: mailing list dev@openoffice.apache.org Received: (qmail 86522 invoked by uid 99); 7 Apr 2016 17:26:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Apr 2016 17:26:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id C5D88C15D3 for ; Thu, 7 Apr 2016 17:26:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.802 X-Spam-Level: X-Spam-Status: No, score=-0.802 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id yCVK8Ctf_FnS for ; Thu, 7 Apr 2016 17:26:05 +0000 (UTC) Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C16705FB1C for ; Thu, 7 Apr 2016 17:26:04 +0000 (UTC) Received: by mail-pa0-f51.google.com with SMTP id td3so58544541pab.2 for ; Thu, 07 Apr 2016 10:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=21RR0/eD2Xjyt/eArSnJHiQ7od9b8EB5qaFfyiKSgn4=; b=TWC5hRgxHZtGHD2m16gr5wYTxrTkGmP0WJzpEweTfcok4uvQos5frDWxBE4jx7J642 dmvPwqnXu0xCYW0KVcXJ9Xnxt5PjUKHWLj9hoYeICv2LEZk84mGoZ+cw8F5B+tZ/d5Tb V+/8FI5zk1gG8K7cqZxJyW+8+q5ZcAUkLqK5RCEnf/+m8Vytub11R1rn+sNRm91h6uE6 SM5uByIO4ykCUycpmgiBsFXAzx1ogW0qt7dz4J4UUNs5/HJ2Nv1VpJLqUWISh7A4KQna d94vq8G+xtSCSpYidOsYUWpXMIfwyMxWaqG2A6jkFKPLEjq+JYB2L7+BASJyOG8SDR0L vuTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=21RR0/eD2Xjyt/eArSnJHiQ7od9b8EB5qaFfyiKSgn4=; b=Ik4aCMqRWibtQkcqVj32BD8YGl/BlM8fdU/iAZBqOW2cte6cQuSL70Ol9lTli4Kn4L C6OjGezhvkxKDgBowFfy6FK0HvmlOEoavWY5WS1moKHNBSZXtdDSt2lqIKjLd7Qgu73y awIbcfew4qeZV1RdGFPEx4xZlBHyLtIuknao4I7eBr2XUnicIcoVkcLsYbVfmNx71A8S j5p8LfZGd87DTBDSsat5X0Vug6aP1697pLNAekqt3/yTT/PTc73Y02yWIfw6SyU5IVEV F8CuJN9drDQqEI6kRcV/AQb9WuGt3owu/0SWvrEVhqtbXeWyDYvuDtLKS94Edes6PLdi DAIw== X-Gm-Message-State: AD7BkJIJ/thjI2iLcJzxH+9RMXIOEhhi0u0ZFAeVl0KN67hLaSGU22XsAb/ufDGZGysrMg== X-Received: by 10.66.219.3 with SMTP id pk3mr6257208pac.106.1460049957939; Thu, 07 Apr 2016 10:25:57 -0700 (PDT) Received: from ?IPv6:2601:601:4201:4936:457b:fa93:7a2b:67fe? ([2601:601:4201:4936:457b:fa93:7a2b:67fe]) by smtp.gmail.com with ESMTPSA id u64sm13491846pfa.86.2016.04.07.10.25.56 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 07 Apr 2016 10:25:56 -0700 (PDT) Subject: Re: Cross Script vulnerabilities in AOo Extensions? To: dev@openoffice.apache.org References: <57063A33.7040308@gmail.com> <008701d190eb$8ab0ec60$a012c520$@acm.org> From: toki Message-ID: <5706981B.9070805@gmail.com> Date: Thu, 7 Apr 2016 17:25:47 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: <008701d190eb$8ab0ec60$a012c520$@acm.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AF1dT03miIi1OlDiFfivl8MIElm11MERN" --AF1dT03miIi1OlDiFfivl8MIElm11MERN Content-Type: multipart/mixed; boundary="V2v5s8EEMn8l2ucGcKqog00JFKQjovU20" From: toki To: dev@openoffice.apache.org Message-ID: <5706981B.9070805@gmail.com> Subject: Re: Cross Script vulnerabilities in AOo Extensions? References: <57063A33.7040308@gmail.com> <008701d190eb$8ab0ec60$a012c520$@acm.org> In-Reply-To: <008701d190eb$8ab0ec60$a012c520$@acm.org> --V2v5s8EEMn8l2ucGcKqog00JFKQjovU20 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07/04/2016 16:35, Dennis E. Hamilton wrote: > Multi-component collaborative exploit staging is possible although unnecessary. Rephrasing: For the time being, at least, one can "safely" ignore this type of exploit, because other vectors are much easier to exploit. Still, for those who are paranoid about security, this is yet another cause for concern, for which they will have to create the appropriate tools to verify the extension is not an exploit. jonathon --V2v5s8EEMn8l2ucGcKqog00JFKQjovU20-- --AF1dT03miIi1OlDiFfivl8MIElm11MERN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJXBpgjAAoJEKG7hs8nSMR7clkP/1FbXbJqbnB0hTQXXRkUQkXW VzsH+GC21YwIfhVsANaEtmHJ8d0785MGSnAsekSvKCmnZFOwRg2j+x6/hU+wHNtg GFspdc0cyOVB2QFHpMJsXHJeQTc5NctPx00eYDrQrttoPBvxLo5mHUFXAvdfgr7x ZOqxG+RSYYQGEbngR2zkGcQxb6ZvSTZ5FLI2HNYol2pxKAAMl4dHBmXY300hbEnd NNTeZctm4oM8951DzR+foMM1PH58x2U8/3PgycKTPFwsC5pcnrpk28VQ3wJJeLvo 457wbFMCrWthRQ+wnpEzkFxkqbepGnoTx9laQgad2LgD4Emi93wAI7dkohjRamV/ L3zg4bAOLyOcO+SU/8GH8ldduiZtph2xVcKtYXyYjneHfPpGC+AV3/pMhFyLTYJI vbXxe4uDlwplH4U0Wq+7suylOlOX0/9vQQuocVzTzrUfQbgYglMKXXBeO4K3NrDp kmMi5hVfNWoD7xysq3jy4nBNxp8BlQ8dLDyPJjsHII9N5hpCU8msJ4TL1PVBoDk4 vwrgy20O6PhlG6fxVee+wMXnh70fgpl+/f5AqC2uFhaJBqeXt2oEuRUpGl4aSDap lSXwLfKz9VxIEsE38W/LH4RZ3YmFzZ7bwafKaHRP5f74xin7ZZBs8HH/q/gqx9jO mC39hz4FOG+AvnL2BuU9 =87X2 -----END PGP SIGNATURE----- --AF1dT03miIi1OlDiFfivl8MIElm11MERN--