|Summary:||<app-office/openoffice-3.2.1-r1: code execution (CVE-2010-0395)|
|Product:||Gentoo Security||Reporter:||Robin Johnson <robbat2>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||chithanh, fedotov.i.f, niko.bockerman+gentoo-bugzilla, shiningarcanine, spatz|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||340917, 345309|
Description Robin Johnson 2010-05-19 03:11:17 UTC
Please bump to 3.2.1RC1. The existing 3.2.0m12 does not contain the fix in upstream bug 109550 and bug 109544 that makes OpenOffice very painful to use on some multidesktop setups. http://www.openoffice.org/issues/show_bug.cgi?id=109544 http://www.openoffice.org/issues/show_bug.cgi?id=109550
Comment 1 Andreas Proschofsky (RETIRED) 2010-05-24 15:20:40 UTC
RC1 is in the tree (though masked). Keeping this open for the final release. Unfortunately I'll be on vacation the next two weeks, so 3.2.1 will be late, I'm afraid...
Comment 2 Richard 2010-05-30 03:34:24 UTC
RC2 was released today. It is available in an overlay, but unfortunately, the overlay interferes with existing things that are installed on my system. Firefox is the most prominent example, which it wants to downgrade. It would be nice to have the ebuild in the tree bumped to RC2, although I took a look at it and I do not think it is as simple as changing its name to RC2 and putting it in a local overlay.
Comment 3 Silvio 2010-06-07 12:34:17 UTC
Official 3.2.1 is out.
Comment 4 Andreas Proschofsky (RETIRED) 2010-06-14 11:55:46 UTC
OOo 3.2.1 is in the tree, both source and -bin
Comment 5 Stefan Behte (RETIRED) 2010-08-01 13:47:22 UTC
Can app-office/openoffice-3.2.1 go stable?
Comment 6 Stefan Behte (RETIRED) 2010-09-01 23:14:11 UTC
CVE-2010-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0395): OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed.
Comment 7 Andreas Proschofsky (RETIRED) 2010-11-11 19:36:54 UTC
(In reply to comment #5) > Can app-office/openoffice-3.2.1 go stable? > In my view: Definitely. It still has some problems, but not more than any release before. Please note we should target 3.2.1-r1, as this has two more security fixes
Comment 8 Paweł Hajdan, Jr. (RETIRED) 2011-01-10 12:02:25 UTC
Stabilization is being handled in bug #345309, eh.
Comment 9 Andreas Proschofsky (RETIRED) 2011-03-16 20:50:20 UTC
With ppc being done, we are finally ready for the advisory
Comment 10 Tim Sammut (RETIRED) 2011-03-19 22:51:56 UTC
Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot 2014-08-31 15:21:17 UTC
This issue was resolved and addressed in GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml by GLSA coordinator Kristian Fiskerstrand (K_F).