See https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html There's a really bad vulnerability, it affects both libre+openoffice, but for libreoffice it's been fixed in november and all versions affected have as far as I can see already left the gentoo tree. For openoffice it's unfixed as of the current upstream version. Maybe this is a good time to say goodbye to openoffice?
From the linked report: --- Vulnerable: Openoffice: 4.1.6 (latest version) I reconfirmed via email that I am allowed to publish the details of the vulnerability although openoffice is still unpatched. Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system. To disable the support for python the pythonscript.py in the installation folder can be either removed or renamed (example on linux /opt/openoffice4/program/pythonscript.py) --- So it seems that there is a possible mitigation to this bug. (In reply to Hanno Boeck from comment #0) > Maybe this is a good time to say goodbye to openoffice? Why? I see no problem having vulnerable packages in the tree, as long as they are p.masked so unsuspecting users don't install them.
(In reply to Chí-Thanh Christopher Nguyễn from comment #1) > From the linked report: > > --- > Vulnerable: > Openoffice: 4.1.6 (latest version) > > I reconfirmed via email that I am allowed to publish the details of the > vulnerability although openoffice is still unpatched. Openoffice does not > allow to pass parameters therefore my PoC does not work but the path > traversal can be abused to execute a python script from another location on > the local file system. > To disable the support for python the pythonscript.py in the installation > folder can be either removed or renamed (example on linux > /opt/openoffice4/program/pythonscript.py) > --- > > So it seems that there is a possible mitigation to this bug. > > (In reply to Hanno Boeck from comment #0) > > Maybe this is a good time to say goodbye to openoffice? > Why? I see no problem having vulnerable packages in the tree, as long as > they are p.masked so unsuspecting users don't install them. So, you want to p.mask this or what?
After discussion with upstream at CLT 2019, I think the best way to go forward is to not install the pythonscript.py file.
(In reply to Chí-Thanh Christopher Nguyễn from comment #3) > After discussion with upstream at CLT 2019, I think the best way to go > forward is to not install the pythonscript.py file. Ok, so you will revbump and we can stable from there?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=625ae773f5aca1a8a4ec3060712400bae0212f74 commit 625ae773f5aca1a8a4ec3060712400bae0212f74 Author: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> AuthorDate: 2019-10-18 11:55:16 +0000 Commit: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> CommitDate: 2019-10-18 11:55:16 +0000 app-office/openoffice-bin: bump to 4.1.7, address security vulnerability Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248 Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.16 app-office/openoffice-bin/Manifest | 80 +++++++++ .../openoffice-bin/openoffice-bin-4.1.7.ebuild | 193 +++++++++++++++++++++ 2 files changed, 273 insertions(+)
Arches, please stabilize app-office/openoffice-bin-4.1.7
amd64 stable
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e2dd43b77d92aefb0df825c6b500468cf7bdcec commit 2e2dd43b77d92aefb0df825c6b500468cf7bdcec Author: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> AuthorDate: 2019-10-24 05:53:22 +0000 Commit: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> CommitDate: 2019-10-24 05:53:22 +0000 app-office/openoffice-bin: remove vulnerable version Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248 Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> app-office/openoffice-bin/Manifest | 80 --------- .../openoffice-bin/openoffice-bin-4.1.6.ebuild | 183 --------------------- 2 files changed, 263 deletions(-)
Tree is clean.
Arches and Maintainer(s), Thank you for your work.
