Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 200771 (CVE-2007-4575)

Summary: app-office/openoffice(-bin) < 2.3.1 HSQLDB database Java code execution (CVE-2007-4575)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: lars, office
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 20:11:31 UTC
Thomas Biege:
  A security vulnerability in HSQLDB, the default database engine shipped
  with, may allow a remote unprivileged user who provides a
  StarOffice database document that is opened by a local user to execute
  arbitrary Java code on the system with the privileges of the user
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-05 10:27:14 UTC
*** Bug 201338 has been marked as a duplicate of this bug. ***
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-05 10:29:30 UTC
public now. Openoffice herd, please provide an updated ebuild.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 10:39:37 UTC
We have it in the tree.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-05 10:46:03 UTC
Arches(In reply to comment #3)
> We have it in the tree.
oops :)
Arches, please test and mark stable ap-office/openoffice-2.3.1 (ppc x86) and app-office/openoffice-bin-2.3.1 (amd64 x86)
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 07:47:20 UTC
-bin stable for x86, source to come (in some hours, anyone else can do it meanwhile)
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 19:00:07 UTC
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-06 21:29:51 UTC
ppc stable
Comment 8 Peter Weller (RETIRED) gentoo-dev 2007-12-08 22:02:04 UTC
amd64 done
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:31:06 UTC
Comment 10 Andreas Proschofsky (RETIRED) gentoo-dev 2007-12-09 00:16:39 UTC
Vulnerable ebuilds are gone from the tree
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-30 18:32:05 UTC
GLSA 200712-25, thanks everyone.
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:52:40 UTC
Does not affect current (2008.0) release. Removing release.