Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 159951

Summary: app-office/openoffice < 2.1 integer overflow (CVE-2006-5870)
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: keith, office, suka
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openoffice.org/issues/show_bug.cgi?id=70042
Whiteboard: A2 [glsa] DerCorny
Package list:
Runtime testing required: ---
Bug Depends on: 147542, 159859, 159862    
Bug Blocks:    

Description Matt Drew (RETIRED) gentoo-dev 2007-01-04 05:14:25 UTC 
http://www.openoffice.org/servlets/ReadMsg?list=releases&msgNo=10454

http://secunia.com/advisories/23612/

Your basic file format handling issue, this time WMF/EMF files.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2007-01-04 05:32:13 UTC 
setting status and cc'ing herd.
Comment 2 Andreas Proschofsky (RETIRED) gentoo-dev 2007-01-04 05:40:58 UTC 
Situation is like this:

openoffice-bin 2.0.4 is vulnerable

openoffice-2.0.4 (source based build) is NOT. The fix for this problem has already been in ooo-build before the initial 2.0.4-release (it's in http://svn.gnome.org/viewcvs/ooo-build/branches/ooo-build-2-0-4/patches/src680/cws-cmcfixes28.diff?rev=7820&view=markup)

So what I propose is to stabilize openoffice-bin 2.1.0. and openoffice 2.0.4, afterwards delete the vulnerable versions. There are already bugs about that, which I'll update and add as a dependency here.
Comment 3 Matt Drew (RETIRED) gentoo-dev 2007-01-04 06:12:31 UTC 
Thanks suka.

arches please test and mark stable:

app-office/openoffice-bin-2.1.0
app-office/openoffice-2.0.4

target keywords for -bin are: KEYWORDS="amd64 x86"
target keywords for regular are: KEYWORDS="~amd64 ppc sparc x86"
Comment 4 Simon Stelling (RETIRED) gentoo-dev 2007-01-04 07:56:15 UTC 
*** Bug 159859 has been marked as a duplicate of this bug. ***
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-04 08:11:35 UTC 
-bin 2.1.0 x86 stable
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-04 11:16:38 UTC 
*** Bug 160029 has been marked as a duplicate of this bug. ***
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-05 00:14:40 UTC 
x86 is done with both versions
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2007-01-07 05:12:51 UTC 
-bin 2.1.0 amd64 stable
Comment 9 Michael Cummings (RETIRED) gentoo-dev 2007-01-07 05:34:57 UTC 
Given: 

(In reply to comment #3)
> target keywords for -bin are: KEYWORDS="amd64 x86"
> target keywords for regular are: KEYWORDS="~amd64 ppc sparc x86"

amd64 should be all set (stable on one, arch testing on the other).
Comment 10 Lars Weiler (RETIRED) gentoo-dev 2007-01-07 06:58:57 UTC 
I still have problems with OOo on ppc.  With java-use-flag set it fails during the compile phase and without it fails on the pyUNO bug #147542...
Comment 11 Andreas Proschofsky (RETIRED) gentoo-dev 2007-01-07 09:01:29 UTC 
(In reply to comment #10)
> I still have problems with OOo on ppc.  With java-use-flag set it fails during
> the compile phase and without it fails on the pyUNO bug #147542...
> 

I've commented in the pyuno-bug
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-01-08 18:42:54 UTC 
sparc stable.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-09 18:22:14 UTC 
Works for >3 people on ppc, -> stable!
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-09 18:47:45 UTC 
thanks, this is ready for glsa
Comment 15 Andreas Proschofsky (RETIRED) gentoo-dev 2007-01-09 20:05:12 UTC 
I've removed openoffice-2.0.3 from the tree now
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:06:52 UTC 
GLSA 200701-07