|Summary:||<app-office/openoffice-bin-4.1.4: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Sergey Torokhov <torokhov-s-a>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||chithanh, glsamaker, office|
|Whiteboard:||B3 [noglsa cve]|
|Runtime testing required:||---|
Description Sergey Torokhov 2017-10-22 22:43:38 UTC
OpenOffice 4.1.4 was released on 19 Oct. 2017 Please update this package in portage tree. Also please resolve an issue https://bugs.gentoo.org/529850 in new ebuild. P.S. List of resolved issues: https://bz.apache.org/ooo/buglist.cgi?list_id=233429&query_format=advanced&resolution=FIXED&resolution=FIXED_WITHOUT_CODE&target_milestone=4.1.4 Reproducible: Always
Comment 1 Andreas Sturmlechner 2017-10-22 22:51:00 UTC
Personally I would recommend you upgrade to LibreOffice. I'm not sure if we bump this once more or rather schedule a cleanup...
Comment 2 Sergey Torokhov 2017-10-23 22:17:21 UTC
(In reply to Andreas Sturmlechner from comment #1) > Personally I would recommend you upgrade to LibreOffice. I tried several times to take a look at LibreOffice but every time found some bugs. Latest version from portage tree (188.8.131.52-r1) and my windows installation (5.3.6) have glitch interface especially "menu" while hover by mouse on it. Also there are I encounter some tiny bugs that are absent for me in OpenOffice. And current portage LibreOffice(-bin) version is obsolete. I use OpenOffice both Gentoo Linux and Windows for ODF formats and I satisfied how it works, as many other users I sure. As for ooxml support there are other office tools with better support of it than in LibreOffice: OnlyOffice, WPS, SoftMaker FreeOffice. What about ebuilds for them? > I'm not sure if we bump this once more or rather schedule a cleanup... Why? The application is still running, fixes are released. The Gentoo Linux is my favourite 'cause it's support simultaneous installation of OpenOffice and LibreOffice - the feature that is not presented in other distributives. SO it give more freedom of choose. As for mentioned above bug - it's reproduce also for LibreOffice(-bin).
Comment 3 Chí-Thanh Christopher Nguyễn 2017-10-26 19:32:41 UTC
Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin
Comment 4 Sergey Torokhov 2017-10-26 21:39:45 UTC
Information about vulnerabilities that was fixed in OpenOffice-4.1.4: https://www.openoffice.org/security/bulletin.html CVE-2017-3157: Arbitrary file disclosure in Calc and Writer CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles
Comment 5 Andreas Sturmlechner 2017-10-27 20:39:13 UTC
(In reply to Chí-Thanh Christopher Nguyễn from comment #3) > Reassigning this bug to me as I'm the maintainer of app-office/openoffice-bin Thanks, should have checked first... Please note wrt bug 529850 the gstreamer version that openoffice-bin seems to depend on is ancient and should be removed from all the remaining reverse-dependencies.
Comment 6 D'juan McDonald (domhnall) 2017-11-02 05:02:52 UTC
@maintainer(s) preserved previous URL: https://blogs.apache.org/OOo/entry/announcing-apache-openoffice-4-1. Adding new URL for Security Bug Reference. @security, CVE request please. Thank you. Gentoo Security Padawan (jmbailey/mbailey_j)
Comment 7 Christopher Díaz Riveros (RETIRED) 2017-11-21 16:42:33 UTC
*** Bug 638334 has been marked as a duplicate of this bug. ***
Comment 8 Larry the Git Cow 2017-12-14 13:51:00 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade5387dafde98d4a37f9a63c419a834554f0e69 commit ade5387dafde98d4a37f9a63c419a834554f0e69 Author: Chí-Thanh Christopher Nguyễn <email@example.com> AuthorDate: 2017-12-14 13:50:40 +0000 Commit: Chí-Thanh Christopher Nguyễn <firstname.lastname@example.org> CommitDate: 2017-12-14 13:50:40 +0000 app-office/openoffice-bin: security bump to 4.1.4 Bug: https://bugs.gentoo.org/635120 Package-Manager: Portage-2.3.13, Repoman-2.3.3 app-office/openoffice-bin/Manifest | 80 +++++++++ .../openoffice-bin/openoffice-bin-4.1.4.ebuild | 185 +++++++++++++++++++++ 2 files changed, 265 insertions(+)}
Comment 9 Thomas Deutschmann 2017-12-19 15:49:47 UTC
Comment 10 Agostino Sarubbo 2017-12-20 13:09:38 UTC
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Comment 11 Larry the Git Cow 2017-12-26 02:57:42 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edbb288bd7337e0b8fab4925fe23987a1a72f071 commit edbb288bd7337e0b8fab4925fe23987a1a72f071 Author: Chí-Thanh Christopher Nguyễn <email@example.com> AuthorDate: 2017-12-26 02:57:30 +0000 Commit: Chí-Thanh Christopher Nguyễn <firstname.lastname@example.org> CommitDate: 2017-12-26 02:57:30 +0000 app-office/openoffice-bin: remove vulnerable version Bug: https://bugs.gentoo.org/635120 Package-Manager: Portage-2.3.13, Repoman-2.3.3 app-office/openoffice-bin/Manifest | 80 --------- .../openoffice-bin/openoffice-bin-4.1.3.ebuild | 185 --------------------- 2 files changed, 265 deletions(-)}
Comment 12 Aaron Bauman 2018-01-15 15:57:05 UTC
Downgraded to B3 due to no known exploits or PoC for ACE. Demos exist for DoS only. GLSA Vote: No Tree is clean.