Bugzilla Bug 121458

OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not
prevent the user from clicking the WWW-browser button in the Hyperlink dialog,
which makes it easier for attackers to trick the user into bypassing intended
security settings.

openoffice please provide fixed ebuilds, thanks.

(In reply to comment #1)
> openoffice please provide fixed ebuilds, thanks.
> 

We alread did, some two months ago. In form of openoffice-2.0.1 ;) This is
stable on all archs, so I don't quite see what the issue is here.

(In reply to comment #2)
> We alread did, some two months ago. In form of openoffice-2.0.1 ;) This is
> stable on all archs, so I don't quite see what the issue is here.

Sorry, if I missed that, but I did not find any related security bug. Is the
latest OOo 1.x fixed as well?

(In reply to comment #3)
> (In reply to comment #2)
> > We alread did, some two months ago. In form of openoffice-2.0.1 ;) This is
> > stable on all archs, so I don't quite see what the issue is here.
> 
> Sorry, if I missed that, but I did not find any related security bug. Is the
> latest OOo 1.x fixed as well?
> 

Yes, there was never any (security bug), seems like the OOo devs did not issue
one (and I didn't see it either, unfortunately, as it was "hidden" as a
"normal" bug fix in the release notes, see
http://development.openoffice.org/releases/2.0.1.html )

About 1.x: Just checked, this version is still vulnerable. The only ebuild left
from OOo 1.x is openoffice-bin-1.1.5. I'm going to pull it from portage, as 1)
we have more recent versions stable on all plattforms anyway and 2) there is no
way to fix this for us, as we are relying on the binary from upstream (and it
is quite unlikely that they will provide a fix)

I've pulled openoffice-bin-1.1.5 now, so we should be fine

ok, I rated this C4 (-> no glsa) and all affected packages are either removed
or fixed, so security is done here and I'm closing the bug as resolved fixed.
As always, feel free to reopen if you disagree.