|Summary:||app-office/openoffice < 3.0.0 insecure temp file usage (CVE-2008-4937)|
|Product:||Gentoo Security||Reporter:||Christian Hoffmann (RETIRED) <hoffie>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||238539|
|Bug Blocks:||235770, 244995|
Comment 1 Christian Hoffmann (RETIRED) 2008-08-26 20:17:39 UTC
Confirmed, we are installing /usr/lib/openoffice/program/senddoc and it contains code which allows for overwriting arbitrary files via symlink attacks. Tested 2.4.1, 3* is still hardmasked on Gentoo and is not vulnerable according to $URL. This (lines 3 and 4 in the mentioned script) just looks like debug code which could probably removed without problems.
Comment 2 Andreas Proschofsky (RETIRED) 2008-08-26 22:15:54 UTC
Most of the other distributions (SUSE, Fedora) are handling this low key and want to just fix it with 3.0, as they don't see a big risk in it. Not saying we should do the same, just giving some perspective. Did someone already check openoffice-bin?
Comment 3 Robert Buchholz (RETIRED) 2008-08-30 13:46:45 UTC
(In reply to comment #2) > Most of the other distributions (SUSE, Fedora) are handling this low key and > want to just fix it with 3.0, as they don't see a big risk in it. Not saying we > should do the same, just giving some perspective. The impact is that a local attacker can trick a victim into truncating any local file if he gets the victim to call that script. I don't know the timeframe for a new release (and its stabling), but I do feel the pain of users rebuilding OO. > Did someone already check openoffice-bin? Yes, /usr/lib32/openoffice/program/senddoc does the same.
Comment 4 Andreas Proschofsky (RETIRED) 2008-10-16 20:44:29 UTC
Well OOo 3.0 (-bin and source) is in the tree, unmasked and should be fine
Comment 5 Pierre-Yves Rofes (RETIRED) 2008-10-16 21:36:55 UTC
Arches, please test and mark stable: - app-office/openoffice-3.0.0 (amd64 ppc x86) - app-office/openoffice-bin-3.0.0 (amd64 x86)
Comment 6 Markus Meier 2008-10-17 20:32:11 UTC
marked the -bin version stable on amd64/x86. maybe I find some time tomorrow for the non-bin...
Comment 7 Markus Meier 2008-10-18 20:31:59 UTC
Comment 8 Tobias Scherbaum (RETIRED) 2008-11-02 09:36:26 UTC
ppc stable, sorry for the delay *hide*
Comment 9 Tobias Heinlein (RETIRED) 2008-11-08 09:50:58 UTC
GLSA request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) 2008-12-12 23:08:36 UTC
Comment 11 Robert Buchholz (RETIRED) 2008-12-29 18:08:55 UTC
As reported on bug 238539, some ~arch users cannot install this issue.
Comment 12 Andreas Proschofsky (RETIRED) 2008-12-30 00:53:49 UTC
(In reply to comment #11) > As reported on bug 238539, some ~arch users cannot install this issue. > How is this bug preventing people to install OOo 3.0 when there is a known workaround for this issue (which is actually referenced in the ebuild)?
Comment 13 Robert Buchholz (RETIRED) 2008-12-30 01:28:34 UTC
You mean rebuilding with USE=kdeprefix? Re-thinking the situation, it is no worse than any other USE-dependency and no blocker to the installation. Sorry for the noise.
Comment 14 Andreas Proschofsky (RETIRED) 2008-12-30 09:52:10 UTC
(In reply to comment #13) > You mean rebuilding with USE=kdeprefix? Yes > > Re-thinking the situation, it is no worse than any other USE-dependency and no > blocker to the installation. Sorry for the noise. > No problem, I'm going to add the patch soonish anyway, I just didn't think it was security related...