Manipulated TIFF files can lead to heap overflows and arbitrary code execution * Synopsis: Manipulated TIFF files can lead to heap overflows and arbitrary code execution * State: Resolved 1. Impact A security vulnerability with the way OpenOffice.org processes TIFF documents may allow arbitrary command execution on the system with the privileges of the user running OpenOffice.org. We acknowledge, with thanks, an anonymous researcher working with the iDefense VCP. 2. Affected releases All versions prior to OpenOffice.org 2.3 3. Symptoms There are no predictable symptoms that would indicate this issue has occurred 4. Relief/Workaround There is no workaround. See "Resolution" below. 5. Resolution This issue is addressed in the following releases: OpenOffice.org 2.3
Yes, well known ;) app-office/openoffice-bin-2.3 is already in the tree, so please test this for marking stable app-office/openoffice-2.3: Am working on this atm. Will come in the tree asap, depends on how successfull I'm in fixing the remaining problems
app-office/openoffice-2.3.0 is in the tree now, too
Thanks, Andreas. Arches, please test and mark stable: app-office/openoffice-bin-2.3.0: targets are "amd64 x86" app-office/openoffice-2.3.0: targets are "ppc x86"
amd64 stable
(In reply to comment #2) > app-office/openoffice-2.3.0 is in the tree now, too > Just to note: I've just done a little update to the ebuild, using a newer ooo-build-release, as the old one still showed the 2.2-splash-screen.
-bin stable on x86
============= Building project oox ============= /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token mkout -- version: 1.7 /usr/bin/perl gentoken.pl tokens.txt ../../unxlngi6.pro/inc/tokens.hxx ../../unxlngi6.pro/misc/tokens.gperf gperf --compare-strncmp --output-file=../../unxlngi6.pro/misc/_tokens.cxx ../../unxlngi6.pro/misc/tokens.gperf dmake: Error: -- gperf: No such file or directory dmake: Error code -1, while making '../../unxlngi6.pro/inc/tokens.cxx' ---* tg_merge.mk *--- ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/oox/source/token make: *** [stamp/build] Error 1 This seems to go away (new compile not finished yet) when emerging dev-util/gperf.
Doesn't build on ppc (bundled STLport) g++ -D_REENTRANT -DGXX_INCLUDE_PATH=/usr/lib/gcc/powerpc-unknown-linux-gnu/4.1.2/include/g++-v4 -fexceptions -ftemplate-depth-32 -I../stlport -Wall -W -Wno-sign-compare -Wno-unused -Wno-uninitialized -O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe -D_STLP_STRICT_ANSI -g -fPIC -D_STLP_DEBUG dll_main.cpp -c -o ../lib/obj/GCCppc/DebugSTLD/dll_main.o ../stlport/stl/_vector.h:92: error: template class without a name ../stlport/stl/_vector.h:195: error: expected unqualified-id before 'const' ../stlport/stl/_vector.h:195: error: expected `)' before 'const' ../stlport/stl/_vector.h:198: error: expected `)' before '__n' ../stlport/stl/_vector.h:204: error: expected `)' before '__n' ../stlport/stl/_vector.h:209: error: expected unqualified-id before 'const' ../stlport/stl/_vector.h:209: error: expected `)' before 'const' ../stlport/stl/_vector.h:240: error: expected `)' before '__first' ../stlport/stl/_vector.h:255: error: expected class-name before '__attribute__' ../stlport/stl/_vector.h:257: error: expected unqualified-id before '<' token ../stlport/stl/_vector.h:337: error: expected identifier before '<' token ../stlport/stl/_vector.h:337: error: expected ',' or '...' before '<' token ../stlport/stl/_vector.h: In member function 'void _STLD::<anonymous class><_Tp, _Alloc>::swap(int __vector__)': ../stlport/stl/_vector.h:338: error: '__x' was not declared in this scope ../stlport/stl/_vector.h: At global scope: ../stlport/stl/_vector.h:93: error: an anonymous union cannot have function members ../stlport/stl/_vector.h:546: error: abstract declarator '_STLD::<anonymous class><_Tp, _Alloc>' used as declaration ../stlport/stl/_relops_cont.h:6: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:7: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:7: error: 'bool _STLD::operator==(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator==(int __vector__)': ../stlport/stl/_relops_cont.h:8: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h:8: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:13: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:14: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:14: error: 'bool _STLD::operator<(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<(int __vector__)': ../stlport/stl/_relops_cont.h:15: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h:16: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator!=(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator!=(int __vector__)': ../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>(int __vector__)': ../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator<=(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator<=(int __vector__)': ../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:19: error: expected ',' or '...' before '<' token ../stlport/stl/_relops_cont.h:19: error: ISO C++ forbids declaration of 'parameter' with no type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int __vector__)' must have an argument of class or enumerated type ../stlport/stl/_relops_cont.h:19: error: 'bool _STLD::operator>=(int __vector__)' must take exactly two arguments ../stlport/stl/_relops_cont.h: In function 'bool _STLD::operator>=(int __vector__)': ../stlport/stl/_relops_cont.h:19: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h:19: error: '__y' was not declared in this scope ../stlport/stl/_relops_cont.h: At global scope: ../stlport/stl/_relops_cont.h:23: error: variable or field 'swap' declared void ../stlport/stl/_relops_cont.h:23: error: '_STLD::swap' declared as an 'inline' variable ../stlport/stl/_relops_cont.h:23: error: template declaration of 'int _STLD::swap' ../stlport/stl/_relops_cont.h:23: error: expected primary-expression before '__attribute__' ../stlport/stl/_relops_cont.h:23: error: expected primary-expression before '>' token ../stlport/stl/_relops_cont.h:23: error: '__x' was not declared in this scope ../stlport/stl/_relops_cont.h:24: error: expected primary-expression before '__attribute__' ../stlport/stl/_relops_cont.h:24: error: expected primary-expression before '>' token ../stlport/stl/_relops_cont.h:24: error: '__y' was not declared in this scope ../stlport/stl/_vector.c:41: error: expected unqualified-id before '<' token ../stlport/stl/_vector.c:57: error: expected unqualified-id before '<' token ../stlport/stl/_vector.c:85: error: expected unqualified-id before '<' token ../stlport/stl/_vector.c:110: error: expected unqualified-id before '<' token ../stlport/stl/_bvector.h:298: error: expected identifier before '<' token ../stlport/stl/_bvector.h:298: error: expected unqualified-id before '<' token ../stlport/stl/_bvector.h:791: error: expected unqualified-id before '<' token ../stlport/stl/debug/_vector.h:96: error: expected class-name before '__attribute__' ../stlport/stl/debug/_vector.h:96: error: expected `{' before '__attribute__' ../stlport/stl/debug/_vector.h:96: error: expected unqualified-id before '<' token dll_main.cpp:172: error: expected identifier before '<' token dll_main.cpp:172: error: expected unqualified-id before '<' token dll_main.cpp:174: error: explicit instantiation of 'class _STLD::vector<void*, _STLD::allocator<void*> >' before definition of template make[1]: *** [../lib/obj/GCCppc/DebugSTLD/dll_main.o] Error 1 make[1]: Leaving directory `/var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport/unxlngppc.pro/misc/build/STLport-4.5/src' dmake: Error code 2, while making 'unxlngppc.pro/misc/build/so_built_so_stlport' ---* tg_merge.mk *--- ERROR: Error 65280 occurred while making /var/tmp/portage/app-office/openoffice-2.3.0/work/ooo/build/OOG680_m5/stlport make: *** [stamp/build] Error 1
Ok, that oox failure has been reported (and marked as fixed) in bug 192937. But actually I don't find the dependency in the ebuild. OpenOffice team?
(In reply to comment #9) > Ok, that oox failure has been reported (and marked as fixed) in bug 192937. > But actually I don't find the dependency in the ebuild. OpenOffice team? > This is fixed now, sorry for missing this
x86 stable, thanks Andreas. ppc your problem has been tried to be fixed.
We are getting into a bit of a difficult situation here: ppc still has some building problems, and I'll be on vacation (without internet access) for two weeks starting tomorrow :( Any idea how to handle this?
Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until now - plus the security fix and one build fix. I'd propose this for stabilizing on ppc instead (and after that removing the ppc keyword from openoffice-2.3.0 for the time being)
(In reply to comment #13) > Ok, as openoffice-2.3.0 obviously has more severe building problems on ppc than > I can solve before being away, I've now added openoffice-2.2.1-r1 to the tree > instead. That's just openoffice-2.2.1 - which seemed to work fine on ppc until > now - plus the security fix and one build fix. > > I'd propose this for stabilizing on ppc instead (and after that removing the > ppc keyword from openoffice-2.3.0 for the time being) > Looks like the best solution for now - i'll take a look at openoffice-2.2.1-r1.
Ok, as I'll be away now: Could someone else please also remove the old 2.2.1-ebuild (the vulnerable one) after ppc has stabilized 2.2.1-r1? Hope everything works out fine, wished this would be completed before leaving...
ppc please test openoffice 2.2.1-r1 or 2.3.0
openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE combination which is working ... we might want to issue a temp-glsa mentioning that the problem isn't fixed for ppc yet? if test -f ../../unxlngppc.pro/slo/cli_uno_glue_version.o ; then touch ../../unxlngppc.pro/slo/cli_uno_glue_version.obj ; fi cp -p assembly.cs ../../unxlngppc.pro/misc/assembly_cppuhelper.cs echo ' \ [assembly:System.Reflection.AssemblyVersion( "1.0.9.0" )] ' \ ' [assembly:System.Reflection.AssemblyKeyFile("../../unxlngppc.pro/bin/cliuno.snk")] ' \ >> ../../unxlngppc.pro/misc/assembly_cppuhelper.cs dmake: Error: -- `../../../external/cli/cli_types.dll' not found, and can't be made '---* tg_merge.mk *---'
(In reply to comment #17) > openoffice-2.2.1-r1 also seems b0rked for ppc, i'm on my way finding a USE > combination which is working I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1. Everything's fine, beside the nasty bug about ************************************************** ERROR: ERROR: Could not register all components! in function: create_services_rdb ************************************************** which hit us again.
(In reply to comment #18) > I compiled OOo-2.2.1-r1 with the same USE-flags (USE="cairo cups dbus eds > firefox gnome gstreamer gtk kde ldap pam sound webdav -binfilter -debug -java > -mono -odk -seamonkey -xulrunner% (-branding%*)") like I compiled 2.2.1. > Everything's fine, beside the nasty bug about > > ************************************************** > ERROR: ERROR: Could not register all components! > in function: create_services_rdb > ************************************************** > > which hit us again. > plus USE="mono" is broken
(In reply to comment #17) > openoffice-2.2.1-r1 also seems b0rked for ppc, Thats bad, even though it seems to work for others, anyway: this also would mean that 2.2.1 is broken too, as it is 2.2.1-r1 minus the security fix. Weird that I never got a single report about 2.2.1 being broken on ppc in the last months... Maybe we should move the ppc-discussion over to bug #193056, also could you please there provide your emerge info stuff?
ppc any news here?
(In reply to comment #21) > ppc any news here? > We're waiting for #193056
ppc stable, finally ready for glsa ...
I've removed the vulnerable ebuilds from the tree now
GLSA 200710-24, thanks everybody!
(In reply to comment #4) > amd64 stable > Still showing as soft masked here. All of the dependencies are now stable and I've been running 2.3.0 on amd64 for a long while without any issues. Can we get it marked as stable.
(In reply to comment #26) > (In reply to comment #4) > > amd64 stable > Still showing as soft masked here. All of the dependencies are now stable and > I've been running 2.3.0 on amd64 for a long while without any issues. Can we > get it marked as stable. That comment was about stabling openoffice-bin, not openoffice. Since openoffice was not amd64-stable before, there is no reason to stable a new version on a security bug. If your comment was a wish to generally stable openoffice on amd64, please open a separate bug about it. I'd still guess there is a reason it is not stable.
