Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 126433

Summary: app-office/openoffice{-bin}-2.0.2 fixes heap overflow in included curl
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bugreports, office
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://qa.openoffice.org/issues/show_bug.cgi?id=59032
Whiteboard: B2 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Carsten Lohrke (RETIRED) gentoo-dev 2006-03-16 08:24:45 UTC
http://qa.openoffice.org/issues/show_bug.cgi?id=59032
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 08:26:36 UTC
arches please test and mark stable
Comment 2 Luis Medinas (RETIRED) gentoo-dev 2006-03-16 09:18:22 UTC
stable on amd64
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2006-03-16 11:44:03 UTC
...and he looked down upon openoffice-bin and saw that it was stable... and then there was much rejoicing... (stable on x86)
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 01:53:08 UTC
Ready for glsa
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 04:41:18 UTC
mhh, wait a second: whats up with normal openoffice? There is a curl useflag and it deps to curl, but does it really link to the external curl of gentoo (fixed long ago) or does it use the one shipped with openoffice?
Comment 6 Andreas Proschofsky (RETIRED) gentoo-dev 2006-03-17 06:13:51 UTC
Indeed, old builds of openoffice-2.0.1 should be vulnerable too if you didn't use the curl-use-flag (cause in this case the internal curl is being used for the build). I removed this use-flag yesterday, and we now hard-depend on the external curl, so for someone doing a fresh build, this is no issue anymore.

Do you want to do me a revision bump (without changes) so that everyone gets it? Think this would be the best solution, as 2.0.2 is not in the condition to go stable on most archs.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 06:19:15 UTC
yes, please revbump it
Comment 8 Andreas Proschofsky (RETIRED) gentoo-dev 2006-03-17 08:38:51 UTC
I've revision-bumped openoffice-2.0.1, the old ebuild is still in there but is not vulnerable anymore cause of the aformentioned change I did yesterday.

Also I've removed openoffice-bin-2.0.1 from the tree, so I think everything should be set for the GLSA.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-03-17 10:15:19 UTC
openoffice-2.0.1-r1 is stable, ready for GLSA

Fixed versions :
>=openoffice-2.0.1-r1
>=openoffice-bin-2.0.2
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-27 10:07:43 UTC
GLSA 200603-25

Thanks everybody.