Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 307307

Summary: app-office/openoffice: Arbitrary VBA macro execution (CVE-2010-0136)
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: office
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [noglsa]
Package list:
Runtime testing required: ---

Description Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:41:07 UTC 
CVE-2010-0136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0136):
  OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly
  enforce Visual Basic for Applications (VBA) macro security settings,
  which allows remote attackers to run arbitrary macros via a crafted
  document.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:42:21 UTC 
Maintainers, upstream seems to have fixed this issue. Do you want to backport or wait for a new release?
Comment 2 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-01 14:41:44 UTC 
(In reply to comment #1)
> Maintainers, upstream seems to have fixed this issue. Do you want to backport
> or wait for a new release?
> 

There is alreay a new release (which fixes a couple of other security issues), so I don't think backporting this one fix makes a lot of sense
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 19:10:10 UTC 
Thanks for the fast response. I guess with "new release" you mean 3.2.0. However, although the CVE doesn't mention it, this issue doesn't seem to be fixed in 3.2.0. I suppose 3.2.1 will contain the fix.
Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-01 21:01:18 UTC 
(In reply to comment #3)
> Thanks for the fast response. I guess with "new release" you mean 3.2.0.
> However, although the CVE doesn't mention it, this issue doesn't seem to be
> fixed in 3.2.0. I suppose 3.2.1 will contain the fix.
> 

Yes I did talk about 3.2.0. Still: How do you come to the conclusion that 3.2.0 is missing the fix? If yes, that would be really bad, cause we have no way to fix openoffice-bin in this case (unless upstream provides a new binary)
Comment 5 Andreas Proschofsky (RETIRED) gentoo-dev 2010-03-01 21:06:31 UTC 
Ok, I really should read the original bug report a little bit closer... Cause basically this bug does not concern us at all. Neither upstream openoffice-bin (=upstream) nor our own build contains VBA macro support atm.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 21:24:36 UTC 
> Still: How do you come to the conclusion that 3.2.0
> is missing the fix?

http://www.openoffice.org/security/bulletin.html. CVE-2010-0136 is not listed there.

> If yes, that would be really bad, cause we have no way to
> fix openoffice-bin in this case (unless upstream provides a new binary)

Oh, right, haven't thought about -bin.

> Ok, I really should read the original bug report a little bit closer... Cause
> basically this bug does not concern us at all. Neither upstream openoffice-bin
> (=upstream) nor our own build contains VBA macro support atm. 

Okay, fine, I'll just close this bug then. Please reopen if we missed something.