CVE-2010-0136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0136): OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document.
Maintainers, upstream seems to have fixed this issue. Do you want to backport or wait for a new release?
(In reply to comment #1) > Maintainers, upstream seems to have fixed this issue. Do you want to backport > or wait for a new release? > There is alreay a new release (which fixes a couple of other security issues), so I don't think backporting this one fix makes a lot of sense
Thanks for the fast response. I guess with "new release" you mean 3.2.0. However, although the CVE doesn't mention it, this issue doesn't seem to be fixed in 3.2.0. I suppose 3.2.1 will contain the fix.
(In reply to comment #3) > Thanks for the fast response. I guess with "new release" you mean 3.2.0. > However, although the CVE doesn't mention it, this issue doesn't seem to be > fixed in 3.2.0. I suppose 3.2.1 will contain the fix. > Yes I did talk about 3.2.0. Still: How do you come to the conclusion that 3.2.0 is missing the fix? If yes, that would be really bad, cause we have no way to fix openoffice-bin in this case (unless upstream provides a new binary)
Ok, I really should read the original bug report a little bit closer... Cause basically this bug does not concern us at all. Neither upstream openoffice-bin (=upstream) nor our own build contains VBA macro support atm.
> Still: How do you come to the conclusion that 3.2.0 > is missing the fix? http://www.openoffice.org/security/bulletin.html. CVE-2010-0136 is not listed there. > If yes, that would be really bad, cause we have no way to > fix openoffice-bin in this case (unless upstream provides a new binary) Oh, right, haven't thought about -bin. > Ok, I really should read the original bug report a little bit closer... Cause > basically this bug does not concern us at all. Neither upstream openoffice-bin > (=upstream) nor our own build contains VBA macro support atm. Okay, fine, I'll just close this bug then. Please reopen if we missed something.