Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 126433 - app-office/openoffice{-bin}-2.0.2 fixes heap overflow in included curl
Summary: app-office/openoffice{-bin}-2.0.2 fixes heap overflow in included curl
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] DerCorny
Depends on:
Reported: 2006-03-16 08:24 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-03-27 10:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-03-16 08:24:45 UTC
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 08:26:36 UTC
arches please test and mark stable
Comment 2 Luis Medinas (RETIRED) gentoo-dev 2006-03-16 09:18:22 UTC
stable on amd64
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2006-03-16 11:44:03 UTC
...and he looked down upon openoffice-bin and saw that it was stable... and then there was much rejoicing... (stable on x86)
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 01:53:08 UTC
Ready for glsa
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 04:41:18 UTC
mhh, wait a second: whats up with normal openoffice? There is a curl useflag and it deps to curl, but does it really link to the external curl of gentoo (fixed long ago) or does it use the one shipped with openoffice?
Comment 6 Andreas Proschofsky (RETIRED) gentoo-dev 2006-03-17 06:13:51 UTC
Indeed, old builds of openoffice-2.0.1 should be vulnerable too if you didn't use the curl-use-flag (cause in this case the internal curl is being used for the build). I removed this use-flag yesterday, and we now hard-depend on the external curl, so for someone doing a fresh build, this is no issue anymore.

Do you want to do me a revision bump (without changes) so that everyone gets it? Think this would be the best solution, as 2.0.2 is not in the condition to go stable on most archs.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 06:19:15 UTC
yes, please revbump it
Comment 8 Andreas Proschofsky (RETIRED) gentoo-dev 2006-03-17 08:38:51 UTC
I've revision-bumped openoffice-2.0.1, the old ebuild is still in there but is not vulnerable anymore cause of the aformentioned change I did yesterday.

Also I've removed openoffice-bin-2.0.1 from the tree, so I think everything should be set for the GLSA.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-03-17 10:15:19 UTC
openoffice-2.0.1-r1 is stable, ready for GLSA

Fixed versions :
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-27 10:07:43 UTC
GLSA 200603-25

Thanks everybody.