Summary: | app-office/openoffice: Arbitrary VBA macro execution (CVE-2010-0136) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | major | CC: | office |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2010-03-01 13:41:07 UTC
Maintainers, upstream seems to have fixed this issue. Do you want to backport or wait for a new release? (In reply to comment #1) > Maintainers, upstream seems to have fixed this issue. Do you want to backport > or wait for a new release? > There is alreay a new release (which fixes a couple of other security issues), so I don't think backporting this one fix makes a lot of sense Thanks for the fast response. I guess with "new release" you mean 3.2.0. However, although the CVE doesn't mention it, this issue doesn't seem to be fixed in 3.2.0. I suppose 3.2.1 will contain the fix. (In reply to comment #3) > Thanks for the fast response. I guess with "new release" you mean 3.2.0. > However, although the CVE doesn't mention it, this issue doesn't seem to be > fixed in 3.2.0. I suppose 3.2.1 will contain the fix. > Yes I did talk about 3.2.0. Still: How do you come to the conclusion that 3.2.0 is missing the fix? If yes, that would be really bad, cause we have no way to fix openoffice-bin in this case (unless upstream provides a new binary) Ok, I really should read the original bug report a little bit closer... Cause basically this bug does not concern us at all. Neither upstream openoffice-bin (=upstream) nor our own build contains VBA macro support atm. > Still: How do you come to the conclusion that 3.2.0 > is missing the fix? http://www.openoffice.org/security/bulletin.html. CVE-2010-0136 is not listed there. > If yes, that would be really bad, cause we have no way to > fix openoffice-bin in this case (unless upstream provides a new binary) Oh, right, haven't thought about -bin. > Ok, I really should read the original bug report a little bit closer... Cause > basically this bug does not concern us at all. Neither upstream openoffice-bin > (=upstream) nor our own build contains VBA macro support atm. Okay, fine, I'll just close this bug then. Please reopen if we missed something. |