181921 2007-06-13 15:25 0000 app-office/openoffice < 2.2.1 - heap oveflow in rtf parsing routines (CVE-2007-0245) 2007-07-23 15:43:04 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00065.html B2 [glsa+] jaervosz P2 normal --- 1 carlo@gentoo.org security@gentoo.org openoffice@gentoo.org carlo@gentoo.org 2007-06-13 15:25:31 0000 John Heasman discovered a heap overflow in the routines of OpenOffice.org that parse RTF files. A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code. http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00065.html carlo@gentoo.org 2007-06-13 15:28:01 0000 Uh, binary package is affected as well of course. jaervosz@gentoo.org 2007-06-13 19:24:38 0000 Handling -bin on bug #181773. openoffice is 2.2.1 ready for stable marking? suka@gentoo.org 2007-06-14 09:18:03 0000 (In reply to comment #2) > > openoffice is 2.2.1 ready for stable marking? > I guess so, 2.2.1 is just a bugfix release for 2.2 which has been in portage for quite some time and should be ready. Dependencies should be fine with one exception: We have an optional dep on >=mono-1.2.3-r1 which is not yet marked stable anywhere. jaervosz@gentoo.org 2007-06-14 15:23:09 0000 ppc and x86 please test and mark stable. fauli@gentoo.org 2007-06-14 16:50:25 0000 Which mono version is recommended? 1.2.4 will hit the 30 days on 16th and I found no relevant bugs but bug 178841, and I don't know how severe it is. dev-dotnet/ligbdiplus is affected, too. 1.2.3 or .4? suka@gentoo.org 2007-06-14 20:09:31 0000 (In reply to comment #5) > Which mono version is recommended? 1.2.4 will hit the 30 days on 16th and I > found no relevant bugs but bug 178841, and I don't know how severe it is. > > dev-dotnet/ligbdiplus is affected, too. 1.2.3 or .4? > AFAIK everything from 1.2.3 on should be fine. Anyway: Another possible solution would be to just put an ebuild without mono-support in the tree, it's really nothing very relevant to OOo atm, so I guess that would be the easiest solution. fauli@gentoo.org 2007-06-15 08:12:04 0000 It fails on x86, build.log to be found at http://dev.gentoo.org/~opfer/build-ooo.log.bz2 suka@gentoo.org 2007-06-15 09:16:05 0000 (In reply to comment #7) > It fails on x86, build.log to be found at > http://dev.gentoo.org/~opfer/build-ooo.log.bz2 > Are you sure you didn't run out of disk space? At least that's what your build log says... ;) Builds fine here btw. fauli@gentoo.org 2007-06-16 04:06:25 0000 (In reply to comment #8) > Are you sure you didn't run out of disk space? At least that's what your build > log says... ;) Never post build failures just after getting up. > Builds fine here btw. In the end here, too. x86 stable, removing dotnet team as well dertobi123@gentoo.org 2007-06-16 12:00:09 0000 ppc stable suka@gentoo.org 2007-06-16 13:24:31 0000 I've removed the vulnerable ebuilds from the tree py@gentoo.org 2007-07-23 15:43:04 0000 hmm actually this one was also solved with GLSA 200707-02. Thanks everybody!