Bug 138545 - app-office/openoffice <2.0.3 - multiple vulnerabilities (CVE-2006-2199, CVE-2006-2198, CVE-2006-3117)
|
Bug#:
138545
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Other
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: chazefroy@gmail.com
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.openoffice.org/security/bulletin-20060629.html
|
|
Summary: app-office/openoffice <2.0.3 - multiple vulnerabilities (CVE-2006-2199, CVE-2006-2198, CVE-2006-3117)
|
|
Keywords:
|
|
Status Whiteboard: A2 [glsa] jaervosz
|
|
Opened: 2006-06-29 21:34 0000
|
* performance improvements: for example, a 23 percent improvement in certain
Calc benchmarks
* further improvements to file format compatibility with Microsoft Office files
* new email integration features for users wanting to send emails in Microsoft
file formats
* more control over how exported PDF documents will display when opened in a
PDF reader
* support for more languages and improvements in hyphenation and thesaurus
* support for Intel architecture for Mac OS X plus improved Mac OS X System
integration
* built-in check for updated versions
Youi left out the most important part from the release notes..
We also recommend OpenOffice.org 2.0.3 because it includes important security
fixes. These have not been exploited but all users of any prior version of
OpenOffice.org are urged to download 2.0.3. A standalone patch will be
available soon.
http://www.openoffice.org/security/bulletin-20060629.html
Security Bulletin 2006-06-29
OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found
through internal security audits. Although there are currently no known
exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new
version or install their vendor's patches accordingly. Patches for users of
OpenOffice.org 1.1.5 will be available shortly.
The three vulnerabilities involve:
* Java Applets, CVE-2006-2199
* Macro, CVE-2006-2198; and
* File Format, CVE-2006-3117
*** Bug 138546 has been marked as a duplicate of this bug. ***
*** Bug 138547 has been marked as a duplicate of this bug. ***
*** Bug 138567 has been marked as a duplicate of this bug. ***
openoffice please provide updated ebuilds.
And 2.0.3 is supposed to work out-of-the box as native amd64!
I want ;)
Just got back from GUADEC, so give me some time to get back on speed. Anyway,
openoffice-bin should be done soon, source-built version could take a little
longer, as ooo-build didn't provide a release until now (though there is one
for RC7 which I could maybe use, didn't check until now).
New version of openoffice-bin and openoffice are in now, please test
accordingly
Thx Andreas.
Arches please test and mark stable.
This will also cause eselect-1.0.2 to go stable. Might want to verify with
those folks that they are ready for it.
(In reply to comment #12)
> This will also cause eselect-1.0.2 to go stable. Might want to verify with
> those folks that they are ready for it.
>
And also: eselect-oodict and all the myspell dictionaries, otherwise the users
won't have the possibility to spell check anymore. Both should be
straightforward though.
SPARC is ready to go stable once we hear from the eselect folks.
eselect and oodict don't work on AMD64, so openoffice-bin and a multilib
install on AMD64 don't have spellcheck, and this prevents me from using
openoffice-bin 2.0.3
(In reply to comment #17)
> eselect and oodict don't work on AMD64, so openoffice-bin and a multilib
> install on AMD64 don't have spellcheck, and this prevents me from using
> openoffice-bin 2.0.3
>
That has already been fixed yesterday, do an emerge sync and try again
Eselect team is fine with stabling 1.0.2. 1.0.3 is no option as it's still in
p.mask due to one unported module.
@x86, AMD-64-herd: At least openoffice-bin should be trivial to mark stable, so
any hope in getting this done soonish?
Hmm, obviously both amd64 and x86-herds were never added, done this now. btw,
as the title does not point this out: This security issues affects both
openoffice and openoffice-bin
1) -bin emerges fine
2) QA: there are a lot of textrels...should I post the log?
3) tested some functions in writer, impress and calc (import of MS documents
e.g.) -> works
Sorry no time to test the normal build...am leaving for the weekend soon.
(In reply to comment #23)
> 2) QA: there are a lot of textrels...should I post the log?
No, those are known. But as we use the upstream binary, there is nothing we can
do about it anyway
(In reply to comment #8)
> And 2.0.3 is supposed to work out-of-the box as native amd64!
> I want ;)
>
regarding to this comment i didn't tried to build from source afaik it doesn't
work. But for somehow it works please cc amd64 team or me so we can start
testing it and keyword.
Thanks
I tried building it on x86 (with USE="firefox"), but it failed because
dev-libs/nspr-4.6.2 is needed (stable version is 4.6.1-r2). See bug #139453.
x86 here. After several hours compiling it works fine with this options:
[ebuild R ] app-office/openoffice-2.0.3 USE="eds gnome gtk pam xml
-binfilter -cairo -debug -firefox -java -kde -ldap -mono -odk" LINGUAS="-af -ar
-be_BY -bg -bn -bs -ca -cs -cy -da -de -el -en -en_GB -en_US -en_ZA -es -et -fa
-fi -fr -gu_IN -he -hi_IN -hr -hu -it -ja -km -ko -lt -mk -nb -nl -nn -nr -ns
-pa_IN -pl -pt -pt_BR -ru -rw -sh_YU -sk -sl -sr_CS -st -sv -sw_TZ -th -tn -tr
-ts -vi -xh -zh_CN -zh_TW -zu" 0 kB
I have tested each module (write, presentation...)
x86 is done after many hours of compiling :(
>^.^<
I've removed the vulnerable versions now from the tree, so I think we should be
fine for the GLSA
Reopening as this is really not fixed until this is issued
So what is keeping the GLSA from being issued?
Just returning from vacation, I'll look into it tomorrow.
GLSA 200607-12
Finally. Thanks everybody!
