John Heasman discovered a heap overflow in the routines of OpenOffice.org that parse RTF files. A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code. http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00065.html
Uh, binary package is affected as well of course.
Handling -bin on bug #181773. openoffice is 2.2.1 ready for stable marking?
(In reply to comment #2) > > openoffice is 2.2.1 ready for stable marking? > I guess so, 2.2.1 is just a bugfix release for 2.2 which has been in portage for quite some time and should be ready. Dependencies should be fine with one exception: We have an optional dep on >=mono-1.2.3-r1 which is not yet marked stable anywhere.
ppc and x86 please test and mark stable.
Which mono version is recommended? 1.2.4 will hit the 30 days on 16th and I found no relevant bugs but bug 178841, and I don't know how severe it is. dev-dotnet/ligbdiplus is affected, too. 1.2.3 or .4?
(In reply to comment #5) > Which mono version is recommended? 1.2.4 will hit the 30 days on 16th and I > found no relevant bugs but bug 178841, and I don't know how severe it is. > > dev-dotnet/ligbdiplus is affected, too. 1.2.3 or .4? > AFAIK everything from 1.2.3 on should be fine. Anyway: Another possible solution would be to just put an ebuild without mono-support in the tree, it's really nothing very relevant to OOo atm, so I guess that would be the easiest solution.
It fails on x86, build.log to be found at http://dev.gentoo.org/~opfer/build-ooo.log.bz2
(In reply to comment #7) > It fails on x86, build.log to be found at > http://dev.gentoo.org/~opfer/build-ooo.log.bz2 > Are you sure you didn't run out of disk space? At least that's what your build log says... ;) Builds fine here btw.
(In reply to comment #8) > Are you sure you didn't run out of disk space? At least that's what your build > log says... ;) Never post build failures just after getting up. > Builds fine here btw. In the end here, too. x86 stable, removing dotnet team as well
ppc stable
I've removed the vulnerable ebuilds from the tree
hmm actually this one was also solved with GLSA 200707-02. Thanks everybody!