Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 283370 (CVE-2009-0200) - <app-office/openoffice{,-bin}-3.1.1: Multiple vulnerabilities (CVE-2009-{0200,0201})
Summary: <app-office/openoffice{,-bin}-3.1.1: Multiple vulnerabilities (CVE-2009-{0200...
Status: RESOLVED FIXED
Alias: CVE-2009-0200
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openoffice.org/servlets/Re...
Whiteboard: A2 [glsa]
Keywords:
: 282164 283492 (view as bug list)
Depends on: 283575
Blocks: CVE-2009-2462
  Show dependency tree
 
Reported: 2009-08-31 22:25 UTC by Alex Legler (RETIRED)
Modified: 2014-08-31 15:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-31 22:25:17 UTC
OpenOffice 3.1.1 fixes multiple vulnerabilities. Details will be published on September 11.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2009-09-02 10:13:40 UTC
*** Bug 283492 has been marked as a duplicate of this bug. ***
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2009-09-04 13:18:06 UTC
CVE-2009-0200 and CVE-2009-0201 
Comment 3 Andreas Proschofsky (RETIRED) gentoo-dev 2009-09-04 13:42:29 UTC
Just some status info:

1) New releases are in portage, both for ooo an ooo-bin
2) Both seem quite good to me, as 3.1.1 is a bug fix release only, no major new problems are expected
3) Most critical problem atm is the whole situation around KDE3 / KDE4 support. See bug #283575 and the linked discussion. Not sure how to proceed here.
4) Also ooo-3.1.1 is not yet marked for sparc.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-06 09:43:35 UTC
CVE-2009-0200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0200):
  Integer underflow in OpenOffice.org (OOo) before 3.1.1 might allow
  remote attackers to execute arbitrary code via crafted records in the
  document table of a Word document, leading to a heap-based buffer
  overflow.

CVE-2009-0201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0201):
  Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 might
  allow remote attackers to execute arbitrary code via unspecified
  records in a crafted Word document, related to "table parsing."

Comment 5 Andreas Proschofsky (RETIRED) gentoo-dev 2009-09-08 18:34:06 UTC
Just a short notice: From my perspective at least openoffice-bin should be very easy to stabilize right now, no big changes, no new dependencies, no big open bugs.
Comment 6 Samuli Suominen gentoo-dev 2009-09-13 09:54:23 UTC
(In reply to comment #3)
> Just some status info:
> 3) Most critical problem atm is the whole situation around KDE3 / KDE4 support.

A ebuild without KDE support entirely, and a next revision with one.
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-09-21 10:39:16 UTC
*** Bug 282164 has been marked as a duplicate of this bug. ***
Comment 8 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-09-21 10:50:52 UTC
Alrighty archs, please stabilize, and from the dependency tree you can see this also blocks xulrunner-1.9.1, and then 10.0

app-office/openoffice-3.1.1     amd64 ppc x86
app-office/openoffice-bin-3.1.1 amd64 x86

Of course you will also need lucene-2.4 stable as well (bug 284325)

amd64+x86: magic word: "10.0" :)
Comment 9 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-09-21 10:51:58 UTC
Dramatic effect lost :p

Arches, please see preceding comment

x86+amd64: magic word "10.0"
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-21 21:02:48 UTC
(In reply to comment #8)
> Of course you will also need lucene-2.4 stable as well (bug 284325)

The ebuild depends on lucene:2.3, which is all ~arch.
Comment 11 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-09-21 23:59:42 UTC
(In reply to comment #10)
> The ebuild depends on lucene:2.3, which is all ~arch.
> 

Sorry about that, my mistake. Here's an updated list:

dev-java/lucene-2.3.2           amd64 ppc x86
dev-java/lucene-analyzers-2.3.2 amd64 ppc x86
app-office/openoffice-3.1.1     amd64 ppc x86
app-office/openoffice-bin-3.1.1 amd64 x86

USE=kde has been masked because it's broken with kdelibs-4.2
All tests pass here for lucene and lucene-analyzers. Sorry for the noise
Comment 12 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-09-22 00:01:38 UTC
PS: I have an ACK from robbat2 about lucene + lucene-analyzers

Again, sorry for the noise :)
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-23 14:17:00 UTC
-bin stable on x86
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-24 07:19:33 UTC
x86 stable
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-26 14:11:59 UTC
amd64 stable.
Comment 16 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-04 16:58:23 UTC
ppc stable, was the last arch.

Ready to be fixed by the security team.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-04 23:31:54 UTC
GLSA request filed.

nirbheek, why does this block #280393 (which is about firefox, seamonkey and thunderbird)?
Comment 18 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-10-19 01:37:00 UTC
(In reply to comment #17)
> nirbheek, why does this block #280393 (which is about firefox, seamonkey and
> thunderbird)?
> 

That's because older versions of openoffice[nsplugin] did not work with xulrunner-1.9.1, so we needed this stable first. Now that it's stable, it no longer blocks...
Comment 19 Andreas Proschofsky (RETIRED) gentoo-dev 2009-11-25 12:52:20 UTC
What's blocking this? Fixes have been in the tree for quite some time now...
Comment 20 Andreas Proschofsky (RETIRED) gentoo-dev 2010-04-18 13:44:22 UTC
Could we please finally close this? OOo 3.1.1 isn't even in the tree anymore....
Comment 21 Andreas Proschofsky (RETIRED) gentoo-dev 2010-11-11 19:34:46 UTC
ping? why is this still open, was fixed ages ago...
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:20:58 UTC
This issue was resolved and addressed in
 GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).