Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 63556

Summary: app-office/openoffice*: world-readable temp files disclose files to local users
Product: Gentoo Security Reporter: Tom Lynema <lyz27>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: office, sj7trunks
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa] vorlon
Package list:
Runtime testing required: ---
Bug Depends on: 65987    
Bug Blocks:    

Description Tom Lynema 2004-09-10 08:19:24 UTC
SecurityTracker Alert ID:  1011205
SecurityTracker URL:
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 10 2004
Impact:  Disclosure of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.1.2
Description:  A vulnerability was reported in OpenOffice. A local user may be able to obtain documents belonging to another local user.

pmladek reported that the software uses insecure temporary files. When started, OpenOffice creates a world-readable temporary directory ('/tmp/sv<RAND>.tmp'). When an OpenOffice file is saved, a compressed version (zip file) is saved in the temporary directory.

A local user can access the temporary directory and obtain the file.
Impact:  A local user can obtain information belonging to another local user.
Solution:  The vendor has issued a fix, available via CVS.
Vendor URL: (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None. 

Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-11 02:59:46 UTC
OpenOffice team, please confirm fix
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2004-09-13 02:14:45 UTC
see also
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-15 13:46:44 UTC

fixed for Red Hat (RHSA-2004:446-08)

The vulnerability has been fixed in Product Update 3 for StarOffice and a release candidate of OpenOffice 1.1.3."
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 11:21:28 UTC
OpenOffice team, please comment on the status of a fix for this
Comment 5 Paul de Vrieze (RETIRED) gentoo-dev 2004-09-16 12:47:45 UTC
To me this really is a minor issue, I think we can wait until 1.1.3 is out. 
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-17 02:41:45 UTC
setting status to [upstream]
1.1.3 seems to be coming soon
Comment 7 Andreas Proschofsky (RETIRED) gentoo-dev 2004-09-18 03:07:58 UTC
This is already fixed in openoffice-ximian-1.3.4
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-28 01:03:32 UTC
Mandrake just released their fix:
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-05 02:03:35 UTC
going back to ebuild status, since 1.1.3 has been released
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-07 02:03:24 UTC
OpenOffice team, could you please comment on the bug when the OOo ebuilds have reached stable

security, any votes on a GLSA since this is rated B4?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-07 02:13:47 UTC
I think we should issue a GLSA. This package is very common, it leaks complete documents and is really easy. RedHat and Mandrake released advisories on this too.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-07 05:11:18 UTC
Oops... well actually time for some testing and stable marking...
Since only 1.1.2 is said to be affected, we will need the following:

current KEYWORDS="~x86"
target KEYWORDS="x86 amd64"

current KEYWORDS="~x86"
target KEYWORDS="x86"


target KEYWORDS="~x86 ~ppc" reached already

openoffice-ximian-bin only has 1.1.53, no work needed either
Comment 13 Simon Stelling (RETIRED) gentoo-dev 2004-10-10 04:40:53 UTC
stable on amd64
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-12 01:46:32 UTC
Any progress on marking this stable on x86 so far?

This has been in [stable] status for 5 days and has been opened about a month ago already.
Comment 15 Andreas Proschofsky (RETIRED) gentoo-dev 2004-10-12 08:27:52 UTC
openoffice and openoffice-bin 1.1.3 are now stable on x86, still there is a lot to do:

*) Need to mark a newer openoffice-ximian stable on x86, the current stable doesn't have the fix. Just commited a new version into unstable which I hope to mark stable in the next few days.

*) There is no version of openoffice-ximian-bin which is not vulnerable, as we are depending on upstream binaries (in this case from Ximian) and there is no newer version, I am going to mask it at whole in package.mask until we get a newer binary

*) Other archs will have to check all three package:

ppc (now at 1.1.1)

sparc (1.1.0-r4), ppc (1.0.3-r2!)

ppc (1.1.55), sparc (1.1.61)
Comment 16 Andreas Proschofsky (RETIRED) gentoo-dev 2004-10-13 02:14:06 UTC
openoffice-ximian-bin is now masked, people should upgrade to a recent openoffice-ximian
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-13 09:02:19 UTC
Arches... please test and mark stable if possible...

to be on the safe side we should end up with:

current KEYWORDS="x86"
target KEYWORDS="x86 sparc ppc"

current KEYWORDS="x86 amd64"
target KEYWORDS="x86 amd64 ppc"

current KEYWORDS="~x86 ~ppc"
target KEYWORDS="x86 ppc sparc"

Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-10-14 01:17:45 UTC
Hmmm... In fact we don't need as much, since only 1.1.2 versions are affected. openoffice and openoffice-bin already have the necessary keywords !

For openoffice-ximian it's slightly more complicated, as we don't "see" the oo version used. In fact we have:
1.1.55 -> 1.1.1 (unaffected)
1.1.61, -> 1.1.2 (affected)
1.3.4, 1.3.5 -> 1.1.2 but patched (unaffected)

So we just need for openoffice-ximian-1.3.5-r1:
current KEYWORDS="~x86 ~ppc"
target KEYWORDS="x86 ~ppc sparc"

All in all, only x86 and sparc still have keywording work (removing ppc).
However, all arches can/should test and mark stable the latest version if they can.
Comment 19 Jason Wever (RETIRED) gentoo-dev 2004-10-14 21:01:49 UTC
So just to be straight, regular plain old openoffice-1.1.1 is not vulnerable, correct?  I'm just asking as 1.1.2 and 1.1.3 have build problems on sparc right now and on a good day when things do compile, it takes about 36 hours or so to build.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-10-15 00:46:19 UTC
Yes, 1.1.1 (and 1.1.1-derived is not vulnerable. The ppc/gcc3.4/ build problem does not block this security bug.
Comment 21 Andreas Proschofsky (RETIRED) gentoo-dev 2004-10-15 08:42:16 UTC
Just marked openoffice-ximian 1.3.5-r1 stable, so x86 should be fine
Comment 22 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-18 07:16:41 UTC
openoffice-ximian-1.3.5-r1 stable on sparc.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 08:53:26 UTC
So we should be set... vorlon, please draft :)
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-10-19 02:31:41 UTC
Andreas, wrt comment #15, ximian-openoffice-bin-1.1.53 is 1.1.1-based, right ? So it wouldn't be affected by this vulnerability ? If so, there would be no need for security masking (feel free to keep the mask for other reasons).

Please confirm as our GLSA contents depend on it...
Comment 25 Andreas Proschofsky (RETIRED) gentoo-dev 2004-10-19 02:44:59 UTC
@Koon: Yes you are right, my fault, will unmask it again. Thanks for noting
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 14:19:15 UTC
GLSA 200410-17