openoffice --- document disclosure

Jacques A. Vidrine nectar at FreeBSD.org
Tue Sep 14 16:29:26 PDT 2004


On Wed, Sep 15, 2004 at 06:42:58AM +0900, NAKATA Maho wrote:
> In Message-ID: <20040914022410.GA83483 at madman.celabo.org> 
> "Jacques A. Vidrine" <nectar at FreeBSD.org> wrote:
> 
> Hello nectar, and portmgr
> 
> portmger: I would like to fix this problem as soon as possible,
> I confirmed that this security vulenrablity was fixed with patch.
> please approve 
> o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir
> change Makefile to:
> o fcvs diff -u Makefile
> Index: Makefile
> ===================================================================
> RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v
> retrieving revision 1.164
> diff -u -r1.164 Makefile
> --- Makefile    31 Aug 2004 12:09:57 -0000      1.164
> +++ Makefile    14 Sep 2004 21:42:23 -0000
> @@ -36,6 +36,8 @@
>  USE_BISON=     yes
>  USE_GMAKE=     yes
>  USE_REINPLACE= yes
> +#mozilla 1.0 seems to have security vulnerability
> +WITHOUT_MOZILLA=       yes
>  
>  .if !defined(WITHOUT_JAVA)
>  USE_JAVA=      1.4+
> 
> ----------------------------------------------------------------------
> > This issue seems reasonably serious to me:
> > http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html
> okay. thank you very much for your report.

And thanks very much for handling!

> 
> One point.
> Affected packages
> 0 	<= 	ar-openoffice
> 0 	<= 	ca-openoffice
> 0 	<= 	cs-openoffice
> 0 	<= 	de-openoffice
> 0 	<= 	dk-openoffice
> 0 	<= 	el-openoffice
> 0 	<= 	es-openoffice
> 0 	<= 	et-openoffice
> 0 	<= 	fi-openoffice
> 0 	<= 	fr-openoffice
> 0 	<= 	gr-openoffice
> 0 	<= 	hu-openoffice
> 0 	<= 	it-openoffice
> 0 	<= 	ja-openoffice
> 0 	<= 	ko-openoffice
> 0 	<= 	nl-openoffice
> 0 	<= 	openoffice
> 0 	<= 	pl-openoffice
> 0 	<= 	pt-openoffice
> 0 	<= 	pt_BR-openoffice
> 0 	<= 	ru-openoffice
> 0 	<= 	se-openoffice
> 0 	<= 	sk-openoffice
> 0 	<= 	sl-openoffice-SI
> 0 	<= 	tr-openoffice
> 0 	<= 	zh-openoffice-CN
> 0 	<= 	zh-openoffice-TW
> 
> openoffice and not openoffice-1.1?
> I think they should be *-openoffice-1.1-*.
> Currently I don't want to maintain OOo 1.0.3 ports since
> they shoule be obsolated, also openoffice-1.0 might not
> build for 5.3-RELEASE since there is a change in make(1).

Actually there are so many version in the ports tree that I'm not sure
that they are all covered.  Assistance here would be appreciated.  If
you are not going to correct OOo 1.0.3, that's fine... we just need to
make sure that we do specify the *corrected* version numbers.  e.g., I
guess now that you have committed a fix, you must bump PORTREVISION
and the VuXML entry needs to be changed to `< 1.1.2_1' for the
appropriate ports.

Which packages are affected by your commit?  Obviously `openoffice', but
which language specific ones?  All of them?

> > Is it possible to have the OpenOffice ports patched before 5.3-RELEASE?
> 
> I will commit the patch (slightly changed, though) by mmeeks
> at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357
> 
> This patch was committed and confirmed that this risk is avoided.
> 1. Launch OpenOffice.
> 2. List /tmp contents. Locate the directory 'sv*.tmp'
> 3. Type in some contents in the document and save it.
> 4. List the contents of the directory /tmp/sv*.tmp/
> 5. Do not close OpenOffice. 'su' to a different user.
> 6. Copy the file under /tmp/sv*.tmp/ to home directory.
> -> Now Permission denied.
> 
> BTW:
> OOo uses mozilla 1.0 runtime, and it also has security vulnerability.
> portsaudit tells and some discussios somewhere at opneoffice at freebsd.org
> and freebsd-users-jp at jp.freebsd.org (in Japanese).
> I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also.

Hmm, OK.  Yesterday I entered VuXML information about several Mozilla
vulnerabilities that affected many different version of Mozilla.  I
also know of about 8 more that I've yet to document.  It will be
difficult to determine which of these actually affect OpenOffice, so
it may be best to fix them...

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at FreeBSD.org


More information about the freebsd-openoffice mailing list