OpenOffice 3.1.1 fixes multiple vulnerabilities. Details will be published on September 11.
*** Bug 283492 has been marked as a duplicate of this bug. ***
CVE-2009-0200 and CVE-2009-0201
Just some status info: 1) New releases are in portage, both for ooo an ooo-bin 2) Both seem quite good to me, as 3.1.1 is a bug fix release only, no major new problems are expected 3) Most critical problem atm is the whole situation around KDE3 / KDE4 support. See bug #283575 and the linked discussion. Not sure how to proceed here. 4) Also ooo-3.1.1 is not yet marked for sparc.
CVE-2009-0200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0200): Integer underflow in OpenOffice.org (OOo) before 3.1.1 might allow remote attackers to execute arbitrary code via crafted records in the document table of a Word document, leading to a heap-based buffer overflow. CVE-2009-0201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0201): Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 might allow remote attackers to execute arbitrary code via unspecified records in a crafted Word document, related to "table parsing."
Just a short notice: From my perspective at least openoffice-bin should be very easy to stabilize right now, no big changes, no new dependencies, no big open bugs.
(In reply to comment #3) > Just some status info: > 3) Most critical problem atm is the whole situation around KDE3 / KDE4 support. A ebuild without KDE support entirely, and a next revision with one.
*** Bug 282164 has been marked as a duplicate of this bug. ***
Alrighty archs, please stabilize, and from the dependency tree you can see this also blocks xulrunner-1.9.1, and then 10.0 app-office/openoffice-3.1.1 amd64 ppc x86 app-office/openoffice-bin-3.1.1 amd64 x86 Of course you will also need lucene-2.4 stable as well (bug 284325) amd64+x86: magic word: "10.0" :)
Dramatic effect lost :p Arches, please see preceding comment x86+amd64: magic word "10.0"
(In reply to comment #8) > Of course you will also need lucene-2.4 stable as well (bug 284325) The ebuild depends on lucene:2.3, which is all ~arch.
(In reply to comment #10) > The ebuild depends on lucene:2.3, which is all ~arch. > Sorry about that, my mistake. Here's an updated list: dev-java/lucene-2.3.2 amd64 ppc x86 dev-java/lucene-analyzers-2.3.2 amd64 ppc x86 app-office/openoffice-3.1.1 amd64 ppc x86 app-office/openoffice-bin-3.1.1 amd64 x86 USE=kde has been masked because it's broken with kdelibs-4.2 All tests pass here for lucene and lucene-analyzers. Sorry for the noise
PS: I have an ACK from robbat2 about lucene + lucene-analyzers Again, sorry for the noise :)
-bin stable on x86
x86 stable
amd64 stable.
ppc stable, was the last arch. Ready to be fixed by the security team.
GLSA request filed. nirbheek, why does this block #280393 (which is about firefox, seamonkey and thunderbird)?
(In reply to comment #17) > nirbheek, why does this block #280393 (which is about firefox, seamonkey and > thunderbird)? > That's because older versions of openoffice[nsplugin] did not work with xulrunner-1.9.1, so we needed this stable first. Now that it's stable, it no longer blocks...
What's blocking this? Fixes have been in the tree for quite some time now...
Could we please finally close this? OOo 3.1.1 isn't even in the tree anymore....
ping? why is this still open, was fixed ages ago...
This issue was resolved and addressed in GLSA 201408-19 at http://security.gentoo.org/glsa/glsa-201408-19.xml by GLSA coordinator Kristian Fiskerstrand (K_F).