138545 2006-06-29 21:34 0000 app-office/openoffice <2.0.3 - multiple vulnerabilities (CVE-2006-2199, CVE-2006-2198, CVE-2006-3117) 2006-07-28 13:51:21 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Other RESOLVED FIXED http://www.openoffice.org/security/bulletin-20060629.html A2 [glsa] jaervosz P2 major --- 1 chazefroy@gmail.com security@gentoo.org bugzilla@lourdas.name eselect@gentoo.org jakuhr-linux@gmx.de jesus.de.santos@gmail.com jon@severinsson.net maekke@gentoo.org openoffice@gentoo.org rockoo@gmail.com sgtphou@fire-eyes.org siryes@gmail.com chazefroy@gmail.com 2006-06-29 21:34:39 0000 * performance improvements: for example, a 23 percent improvement in certain Calc benchmarks * further improvements to file format compatibility with Microsoft Office files * new email integration features for users wanting to send emails in Microsoft file formats * more control over how exported PDF documents will display when opened in a PDF reader * support for more languages and improvements in hyphenation and thesaurus * support for Intel architecture for Mac OS X plus improved Mac OS X System integration * built-in check for updated versions solar@gentoo.org 2006-06-29 23:09:37 0000 Youi left out the most important part from the release notes.. We also recommend OpenOffice.org 2.0.3 because it includes important security fixes. These have not been exploited but all users of any prior version of OpenOffice.org are urged to download 2.0.3. A standalone patch will be available soon. anpereir@gentoo.org 2006-06-29 23:15:42 0000 http://www.openoffice.org/security/bulletin-20060629.html Security Bulletin 2006-06-29 OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly. The three vulnerabilities involve: * Java Applets, CVE-2006-2199 * Macro, CVE-2006-2198; and * File Format, CVE-2006-3117 anpereir@gentoo.org 2006-06-29 23:20:31 0000 *** Bug 138546 has been marked as a duplicate of this bug. *** anpereir@gentoo.org 2006-06-29 23:21:25 0000 *** Bug 138547 has been marked as a duplicate of this bug. *** jakub@gentoo.org 2006-06-30 03:39:53 0000 *** Bug 138567 has been marked as a duplicate of this bug. *** carlo@gentoo.org 2006-06-30 04:35:29 0000 cc maintainers jaervosz@gentoo.org 2006-06-30 08:07:17 0000 openoffice please provide updated ebuilds. jon@severinsson.net 2006-06-30 13:35:06 0000 And 2.0.3 is supposed to work out-of-the box as native amd64! I want ;) suka@gentoo.org 2006-07-01 00:11:01 0000 Just got back from GUADEC, so give me some time to get back on speed. Anyway, openoffice-bin should be done soon, source-built version could take a little longer, as ooo-build didn't provide a release until now (though there is one for RC7 which I could maybe use, didn't check until now). suka@gentoo.org 2006-07-02 22:57:37 0000 New version of openoffice-bin and openoffice are in now, please test accordingly jaervosz@gentoo.org 2006-07-03 00:46:06 0000 Thx Andreas. Arches please test and mark stable. weeve@gentoo.org 2006-07-04 17:42:36 0000 This will also cause eselect-1.0.2 to go stable. Might want to verify with those folks that they are ready for it. pylon@gentoo.org 2006-07-05 00:49:09 0000 Stable on ppc. suka@gentoo.org 2006-07-05 01:01:09 0000 (In reply to comment #12) > This will also cause eselect-1.0.2 to go stable. Might want to verify with > those folks that they are ready for it. > And also: eselect-oodict and all the myspell dictionaries, otherwise the users won't have the possibility to spell check anymore. Both should be straightforward though. jaervosz@gentoo.org 2006-07-05 02:36:37 0000 CC'ing eselect. weeve@gentoo.org 2006-07-06 08:45:31 0000 SPARC is ready to go stable once we hear from the eselect folks. rapsure@sfcn.org 2006-07-08 23:16:30 0000 eselect and oodict don't work on AMD64, so openoffice-bin and a multilib install on AMD64 don't have spellcheck, and this prevents me from using openoffice-bin 2.0.3 suka@gentoo.org 2006-07-08 23:41:14 0000 (In reply to comment #17) > eselect and oodict don't work on AMD64, so openoffice-bin and a multilib > install on AMD64 don't have spellcheck, and this prevents me from using > openoffice-bin 2.0.3 > That has already been fixed yesterday, do an emerge sync and try again kugelfang@gentoo.org 2006-07-11 01:53:46 0000 Eselect team is fine with stabling 1.0.2. 1.0.3 is no option as it's still in p.mask due to one unported module. gustavoz@gentoo.org 2006-07-12 06:13:24 0000 sparc stable. suka@gentoo.org 2006-07-14 04:52:05 0000 @x86, AMD-64-herd: At least openoffice-bin should be trivial to mark stable, so any hope in getting this done soonish? suka@gentoo.org 2006-07-14 04:54:42 0000 Hmm, obviously both amd64 and x86-herds were never added, done this now. btw, as the title does not point this out: This security issues affects both openoffice and openoffice-bin fauli@gentoo.org 2006-07-14 05:55:25 0000 1) -bin emerges fine 2) QA: there are a lot of textrels...should I post the log? 3) tested some functions in writer, impress and calc (import of MS documents e.g.) -> works Sorry no time to test the normal build...am leaving for the weekend soon. suka@gentoo.org 2006-07-14 10:22:02 0000 (In reply to comment #23) > 2) QA: there are a lot of textrels...should I post the log? No, those are known. But as we use the upstream binary, there is nothing we can do about it anyway metalgod@gentoo.org 2006-07-14 19:02:31 0000 amd64 stable metalgod@gentoo.org 2006-07-14 19:04:09 0000 (In reply to comment #8) > And 2.0.3 is supposed to work out-of-the box as native amd64! > I want ;) > regarding to this comment i didn't tried to build from source afaik it doesn't work. But for somehow it works please cc amd64 team or me so we can start testing it and keyword. Thanks maekke@gentoo.org 2006-07-15 07:10:21 0000 I tried building it on x86 (with USE="firefox"), but it failed because dev-libs/nspr-4.6.2 is needed (stable version is 4.6.1-r2). See bug #139453. jesus.de.santos@gmail.com 2006-07-15 09:32:00 0000 x86 here. After several hours compiling it works fine with this options: [ebuild R ] app-office/openoffice-2.0.3 USE="eds gnome gtk pam xml -binfilter -cairo -debug -firefox -java -kde -ldap -mono -odk" LINGUAS="-af -ar -be_BY -bg -bn -bs -ca -cs -cy -da -de -el -en -en_GB -en_US -en_ZA -es -et -fa -fi -fr -gu_IN -he -hi_IN -hr -hu -it -ja -km -ko -lt -mk -nb -nl -nn -nr -ns -pa_IN -pl -pt -pt_BR -ru -rw -sh_YU -sk -sl -sr_CS -st -sv -sw_TZ -th -tn -tr -ts -vi -xh -zh_CN -zh_TW -zu" 0 kB I have tested each module (write, presentation...) tsunam@gentoo.org 2006-07-15 15:58:13 0000 x86 is done after many hours of compiling :( >^.^< suka@gentoo.org 2006-07-15 23:35:59 0000 I've removed the vulnerable versions now from the tree, so I think we should be fine for the GLSA Reopening as this is really not fixed until this is issued wolf31o2@gentoo.org 2006-07-16 08:31:10 0000 Updated in the 2006.1 snapshot, so I'm removing release@gentoo.org suka@gentoo.org 2006-07-18 10:39:48 0000 So what is keeping the GLSA from being issued? jaervosz@gentoo.org 2006-07-22 13:16:55 0000 Just returning from vacation, I'll look into it tomorrow. dercorny@gentoo.org 2006-07-28 13:51:21 0000 GLSA 200607-12 Finally. Thanks everybody!