Summary: | app-office/openoffice{-bin|ximian} DOC document Heap Overflow (CAN-2005-0941) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | office |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.securityfocus.com/archive/1/395516/2005-04-08/2005-04-14/0 | ||
Whiteboard: | A2 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-04-12 08:01:50 UTC
openoffice please advise. For the binary there are already new files ftp://ftp.stardiv.de/pub/OpenOffice.org/contrib/rc/1.1.4secpatch/ Going to add this asap Still looking for a patch for the source based versions, though Patch is here: http://cvs.gnome.org/viewcvs/*checkout*/ooo-build/patches/OOO_1_1/crash-objstream.diff?rev=1.1.2.1 openoffice-bin-1.1.4-r1 has the fix, marked ~x86 ~amd64 atm suka any eta on the non-bin version? And what about the ximianized version? Commited a bunch of revision bumps, which contain the necessary fix: openoffice-1.1.4-r1 openoffice-ximian-1.3.6-r1 openoffice-ximian-1.3.7-r1 openoffice-ximian-1.3.9-r1 All are marked unstable on all archs at the moment. Going to mark them stable on x86 tomorow, if everything goes smoothly. For other archs their respective maintainers should comment. Thx for the swift reaction Andreas. Arches please test and mark stable. Target keywords are: openoffice-1.1.4-r1: x86 ppc sparc openoffice-bin-1.1.4-r1: x86 amd64 openoffice-ximian-1.3.6-r1: ~x86 ppc openoffice-ximian-1.3.7-r1: x86 ~ppc sparc openoffice-ximian-1.3.9-r1:x86 ~ppc ~sparc Stable on ppc. I've got the -bin covered on x86, but I dont have enough free hd space to build the others... suka, can you mark them? I guess you've already tested them? openoffice-1.1.4-r1 and openoffice-ximian-1.3.9-r1 are now stable on x86, just took some time to build... Crash with the manipulated work document from the OOo-bug does not work anymore, so I think this counts as fixed. One thing more that I want to point out: We still have a openoffice-bin-1.1.1 which is marked stable on ppc, don't know how to deal with this, it should be vulenerable too, but I don't think a fix exists yet. Also we have the openoffice-bin-2.0-pre in the tree which is also vulnerable but this is hard masked anyway? Is this sufficient? About the unfixed ppc: we'll issue a temporary GLSA that says ppc is still affected. About the hardmasked vulnerable version: yes, hardmasking is sufficient. Maybe add to the masking comment that there are stability *and* security issues with that version. Candidate: CAN-2005-1044 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1044 Reference: BUGTRAQ:20050412 OpenOffice DOC document Heap Overflow Reference: URL:http://www.securityfocus.com/archive/1/395516 Reference: CONFIRM:http://www.openoffice.org/issues/show_bug.cgi?id=46388 The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow. Oops. That was a dupe. @Koon: openoffice-bin-2.0-pre will get a new release soon, which has the fix, so no need to add a message, I think. Other than that mainly sparc updates are missing now... you might want to remove the vulnerable -ximian ebuilds ? To force ppl to installed the patches ones.. x86 out hparker already marked it stable for amd64 @Olivier: Already did that some hours ago for 1.3.9 and 1.3.6, 1.3.7 is still there until 1.3.7-r1 is stable on sparc Sparc: please mark stable openoffice-1.1.4-r1 and openoffice-ximian-1.3.7-r1. Can you relax a bit? Do you know how long this takes to compile? Here: Wed Apr 13 20:24:23 2005 >>> app-office/openoffice-ximian-1.3.9-r1 merge time: 1 day, 4 hours, 25 minutes and 11 seconds. WE KNOW, WE ARE WORKING ON IT, WE DON'T WANT TO MAKE UNNECESSARY NOISE IN THE BUGS. OK? openoffice-ximian-1.3.9-r1 stable on sparc. openoffice-1.1.4-r1 breaks on moz stuff - given that our virtual has been pointing to -ximian for quite some time, and we prefer -ximian in general (it's even on the package CDs instead of regular OO) feel free to ditch it entirely for us. We may look into getting it in shape back for sparc, but given long compile times and -ximian being superior in general i don't forsee this happening soon. @Gustavo: Shouldn't the mozilla stuff be already disabled for sparc? Looks like in the ebuild to me. All vulnerable versions of openoffice and openoffice-ximian are now removed from the tree Ready for a temporary GLSA stating that ppc openoffice-bin users should switch to openoffice (non-bin) and sparc openoffice users should switch to openoffice-ximian. GLSA 200504-13 Will stay open until ppc has a fixed version for -bin. As just has been pointed out (I actually forgot about that one...) openoffice-ximian-bin-1.1.53 should also be vulnerable to this. So either we put this in package.mask or wait for a new release, which should be quite soon. Actually I've openoffice-ximian-bin-1.3.9 ready here locally, just waiting for an update by Novell which also carries the security fix. I would say wait for the new release, and we'll update the GLSA. openoffice-ximian-bin is in ~ anyway... Just to point out: openoffice-bin-1.9.95 is now in the tree and includes the fix openoffice-ximian-bin now also has a newer version which is safe GLSA 200504-13 now updated. Nothing more to do on this bug -> Closing. |