openoffice --- document disclosure
Joe Marcus Clarke
marcus at marcuscom.com
Tue Sep 14 15:05:04 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NAKATA Maho wrote:
| In Message-ID: <20040914022410.GA83483 at madman.celabo.org>
| "Jacques A. Vidrine" <nectar at FreeBSD.org> wrote:
|
| Hello nectar, and portmgr
|
| portmger: I would like to fix this problem as soon as possible,
| I confirmed that this security vulenrablity was fixed with patch.
| please approve
| o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir
| change Makefile to:
| o fcvs diff -u Makefile
| Index: Makefile
| ===================================================================
| RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v
| retrieving revision 1.164
| diff -u -r1.164 Makefile
| --- Makefile 31 Aug 2004 12:09:57 -0000 1.164
| +++ Makefile 14 Sep 2004 21:42:23 -0000
| @@ -36,6 +36,8 @@
| USE_BISON= yes
| USE_GMAKE= yes
| USE_REINPLACE= yes
| +#mozilla 1.0 seems to have security vulnerability
| +WITHOUT_MOZILLA= yes
|
| .if !defined(WITHOUT_JAVA)
| USE_JAVA= 1.4+
|
| ----------------------------------------------------------------------
|
|>This issue seems reasonably serious to me:
|>http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html
|
| okay. thank you very much for your report.
|
| One point.
| Affected packages
| 0 <= ar-openoffice
| 0 <= ca-openoffice
| 0 <= cs-openoffice
| 0 <= de-openoffice
| 0 <= dk-openoffice
| 0 <= el-openoffice
| 0 <= es-openoffice
| 0 <= et-openoffice
| 0 <= fi-openoffice
| 0 <= fr-openoffice
| 0 <= gr-openoffice
| 0 <= hu-openoffice
| 0 <= it-openoffice
| 0 <= ja-openoffice
| 0 <= ko-openoffice
| 0 <= nl-openoffice
| 0 <= openoffice
| 0 <= pl-openoffice
| 0 <= pt-openoffice
| 0 <= pt_BR-openoffice
| 0 <= ru-openoffice
| 0 <= se-openoffice
| 0 <= sk-openoffice
| 0 <= sl-openoffice-SI
| 0 <= tr-openoffice
| 0 <= zh-openoffice-CN
| 0 <= zh-openoffice-TW
|
| openoffice and not openoffice-1.1?
| I think they should be *-openoffice-1.1-*.
| Currently I don't want to maintain OOo 1.0.3 ports since
| they shoule be obsolated, also openoffice-1.0 might not
| build for 5.3-RELEASE since there is a change in make(1).
|
|
|>Is it possible to have the OpenOffice ports patched before 5.3-RELEASE?
|
|
| I will commit the patch (slightly changed, though) by mmeeks
| at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357
|
| This patch was committed and confirmed that this risk is avoided.
| 1. Launch OpenOffice.
| 2. List /tmp contents. Locate the directory 'sv*.tmp'
| 3. Type in some contents in the document and save it.
| 4. List the contents of the directory /tmp/sv*.tmp/
| 5. Do not close OpenOffice. 'su' to a different user.
| 6. Copy the file under /tmp/sv*.tmp/ to home directory.
| -> Now Permission denied.
|
| BTW:
| OOo uses mozilla 1.0 runtime, and it also has security vulnerability.
| portsaudit tells and some discussios somewhere at opneoffice at freebsd.org
| and freebsd-users-jp at jp.freebsd.org (in Japanese).
| I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also.
Approved.
Joe
|
|
http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html
|
http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html
|
http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html
|
| Best regards,
| --nakata maho
|
|
- --
PGP Key : http://www.marcuscom.com/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBR2sKb2iPiv4Uz4cRAupIAJ4i8lsKj4gJzS/ufyDR9c+KaszC7QCgkW5J
QLXCGH+66cHPfJ7mT6yJhkA=
=wUXQ
-----END PGP SIGNATURE-----
More information about the freebsd-openoffice
mailing list