Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 320491 (CVE-2010-0395)

Summary: <app-office/openoffice-3.2.1-r1: code execution (CVE-2010-0395)
Product: Gentoo Security Reporter: Robin Johnson <robbat2>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chithanh, fedotov.i.f, niko.bockerman+gentoo-bugzilla, shiningarcanine, spatz
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openoffice.org/security/cves/CVE-2010-0395.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 340917, 345309    
Bug Blocks:    

Description Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-05-19 03:11:17 UTC
Please bump to 3.2.1RC1.

The existing 3.2.0m12 does not contain the fix in upstream bug 109550 and bug 109544 that makes OpenOffice very painful to use on some multidesktop setups.

http://www.openoffice.org/issues/show_bug.cgi?id=109544
http://www.openoffice.org/issues/show_bug.cgi?id=109550
Comment 1 Andreas Proschofsky (RETIRED) gentoo-dev 2010-05-24 15:20:40 UTC
RC1 is in the tree (though masked). Keeping this open for the final release.

Unfortunately I'll be on vacation the next two weeks, so 3.2.1 will be late, I'm afraid...
Comment 2 Richard 2010-05-30 03:34:24 UTC
RC2 was released today. It is available in an overlay, but unfortunately, the overlay interferes with existing things that are installed on my system. Firefox is the most prominent example, which it wants to downgrade.

It would be nice to have the ebuild in the tree bumped to RC2, although I took a look at it and I do not think it is as simple as changing its name to RC2 and putting it in a local overlay.
Comment 3 Silvio 2010-06-07 12:34:17 UTC
Official 3.2.1 is out.
Comment 4 Andreas Proschofsky (RETIRED) gentoo-dev 2010-06-14 11:55:46 UTC
OOo 3.2.1 is in the tree, both source and -bin
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:47:22 UTC
Can app-office/openoffice-3.2.1 go stable?
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-01 23:14:11 UTC
CVE-2010-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0395):
  OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote
  attackers to bypass Python macro security restrictions and execute
  arbitrary Python code via a crafted OpenDocument Text (ODT) file that
  triggers code execution when the macro directory structure is
  previewed.

Comment 7 Andreas Proschofsky (RETIRED) gentoo-dev 2010-11-11 19:36:54 UTC
(In reply to comment #5)
> Can app-office/openoffice-3.2.1 go stable?
> 

In my view: Definitely. It still has some problems, but not more than any release before.

Please note we should target 3.2.1-r1, as this has two more security fixes
Comment 8 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:02:25 UTC
Stabilization is being handled in bug #345309, eh.
Comment 9 Andreas Proschofsky (RETIRED) gentoo-dev 2011-03-16 20:50:20 UTC
With ppc being done, we are finally ready for the advisory
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 22:51:56 UTC
Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:21:17 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).