Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47926 - app-office/openoffice* : Neon Client Code Format String Vulnerabilities
Summary: app-office/openoffice* : Neon Client Code Format String Vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] koon
Depends on:
Reported: 2004-04-15 07:57 UTC by schaedpq
Modified: 2011-10-30 22:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
koon: Assigned_To? (koon)

patch to fix 1.0.x versions of OOo, replaces neon.patch (neon.patch-ooo-1.0.x,12.67 KB, patch)
2004-04-15 07:59 UTC, schaedpq
no flags Details | Diff
Fixes format string vulnerabilities in internal neon, replace current neon.patch (neon.patch,11.94 KB, patch)
2004-04-15 08:00 UTC, schaedpq
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description schaedpq 2004-04-15 07:57:22 UTC
Excerpt from the OpenOffice bugtracking system:
When used with a vulnerable version of Neon, OOo is susceptible to buffer
overflows from malicious DAV servers. (OpenOffice 1.0.x and 1.1.x) are affected.)

Reproducible: Didn't try
Steps to Reproduce:

The issue in the OpenOffice bugtracking system:

There is also an advisory from Secunia:
CVE reference:

This is obiously relatied to bug 47799 but I think it is not dependent because
OpenOffice seem to use its own copy of the neon lib.

Workaround is not to use OpenOffice to connect to untrusted DAV-Servers.

There are patches for OpenOffice 1.0.x and 1.1.x in the OpenOffice bugtracker, I
will attach them to this bug.
Comment 1 schaedpq 2004-04-15 07:59:53 UTC
Created attachment 29342 [details, diff]
patch to fix 1.0.x versions of OOo, replaces neon.patch
Comment 2 schaedpq 2004-04-15 08:00:51 UTC
Created attachment 29343 [details, diff]
Fixes format string vulnerabilities in internal neon, replace current neon.patch
Comment 3 schaedpq 2004-04-15 08:02:09 UTC
Comment on attachment 29343 [details, diff]
Fixes format string vulnerabilities in internal neon, replace current neon.patch

OK, this would be the fix for OpenOffice 1.1.x, I just forgot to mention it.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-23 07:11:48 UTC
OpenOffice folks : your opinion on this one ?
Do you think this patch can make it in a Gentoo openoffice[-bin] release ?

Comment 5 Andreas Proschofsky (RETIRED) gentoo-dev 2004-04-23 08:26:21 UTC
The patches provided here won't work, as they are for files in a tarball, but anyway, I will do patches for the source versions. Regarding -bin-versions there's not a lot we can do instead of waiting for the OOo-people to release an update version...
Comment 6 solar (RETIRED) gentoo-dev 2004-04-23 09:52:55 UTC
Is there any reason why gentoo could not provide a (-bin-version) for 
this pkg?

If no viable upgrade path exists and it does not look like oo upstream 
is going to be jumping on putting out a new version then I'd personaly
want to pkg mask the offending program (-bin-version only) in this case,
solely in order to keep more people from installing it.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-04-24 02:02:46 UTC
In my understanding, openoffice-bin is a packaging of the official binary from, so if they don't release a new version, Gentoo can't have one either.

As for masking : openoffice-bin is a widely used package and the vulnerability is very difficult to exploit (set up a malicious DAV server and convince people to connect to it ?), so I'm not sure.

Comment 8 Andreas Proschofsky (RETIRED) gentoo-dev 2004-04-24 04:01:29 UTC
I've now added the patch to the 1.1.x versions of openoffice and openoffice-ximian in cvs. As I've never handled a security related bug before: Should I rev-bump all versions now? Even for such big packages as OOo?

About -bin: I would vote strongly against hardmasking them. I know this is an unfortunate situation, but too many people are using it, as not everybody has the possibilty to compile it (or wants to wait for a day on slower hardware). I think we could add a warning at the end of the emerge process as a workaround.

About why we don't provide our own bins: Because it's a lot of work, if someone wants to take this on, fine ;-)
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-04-25 03:40:09 UTC
Yes, you should rev-bump, otherwise we can't issue a GLSA on this. 

On openoffice-bin, I agree hard masking is maybe overkill, but others may have other opinions. My point of view is that we can talk about it in the partial GLSA we will issue, sth like "you use untrusted DAV servers, if you want to be protected, drop openoffice-bin, use openoffice instead" ?
Comment 10 Andreas Proschofsky (RETIRED) gentoo-dev 2004-04-25 04:45:06 UTC
Ok rev-bumped everything, the version table is

for OOo:

1.1.0-r2 > 1.1.0-r4
1.1.0-r3 > 1.1.0-r5
1.1.1 > 1.1.1-r1

for OOo-ximian:

1.1.51 > 1.1.51-r1

The latest OOo-ximian-version (1.1.53) already includes the patch, so no need to do anything about that.

About the bin: Just want to mention that the latest ooo-ximian-bin is also vulnerable
Comment 11 Kurt Lieber (RETIRED) gentoo-dev 2004-04-27 13:50:31 UTC
OK, so my suggestion is to list OOo-bin as an affected package in the GLSA and then make it clear in the description that folks only need to worry about this bug if they use untrusted webdav servers.  The fix then would be for OOo-bin people to upgrade to OO-source.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-05-05 02:30:02 UTC
I have a doubt on the 1.0.3-r1 version (apparently latest stable on ppc). Does it include the security fix ? If it does, it should probably be rev-bumped to 1.0.3-r2 ?

Current unaffected/affected table :
x86 affected: openoffice <= 1.1.1, openoffice-ximian <= 1.1.51, openoffice-bin <= 1.1.1, openoffice-ximian-bin <= 1.1.52
x86 unaffected: openoffice >= 1.1.1-r1, openoffice-ximian >= 1.1.51-r1
ppc affected: openoffice <= 1.0.3-r1 ??, openoffice-ximian <= 1.1.51, openoffice-bin <= 1.1.1
ppc unaffected: openoffice >= 1.0.3-r1 ??, openoffice-ximian >= 1.1.51-r1
sparc affected: openoffice <= 1.1.0-r3
sparc unaffected: openoffice >= 1.1.0-r4
amd64 affected: openoffice-bin <= 1.1.1
amd64 unaffected: none...

so we have a problem on amd64 because there is no source build in portage.
Comment 13 Andreas Proschofsky (RETIRED) gentoo-dev 2004-05-05 03:00:09 UTC
@Koon: Ooops, missed that one, 1.0.3-r2 is now in and includes the fix
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-05-05 05:16:49 UTC
GLSA drafted -- security@go : please review carefully as this one is rather complicated, in particular you should check that it doesn't break glsa-check :)
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-05-13 09:25:21 UTC
GLSA 200405-04
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-06-20 01:37:29 UTC
Reopening bug as OpenOffice 1.1.2 is out and lists CAN-2004-0179 in the fixed bugs list :

Using this bug to track that when oo-bin versions will be out, we will have to update GLSA 200405-04.
Comment 17 Andreas Proschofsky (RETIRED) gentoo-dev 2004-06-20 05:34:07 UTC
ooo-bin-1.1.2 is already in the tree since a few days
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-06-20 08:56:24 UTC
Great !

Do you know the status of ximian-openoffice-bin, is there a version we could put in ~x86 that includes the Neon fix ? Or should we just edit the GLSA about openoffice-bin only ?
Comment 19 Andreas Proschofsky (RETIRED) gentoo-dev 2004-06-20 14:44:51 UTC
not at the moment I am afraid, as 1.1.2 is now out I hope for a new version soon though, but we are depending on Ximian/Novell for that, so no timeline I can give you...
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-06-22 10:29:32 UTC
The GLSA will have to be updated when openoffice-bin-1.1.2 meets at least the following keywords : "x86 ppc ~amd64", and/or when a ximian-openoffice-bin based on 1.1.2 meets "~x86".
Comment 21 Paul de Vrieze (RETIRED) gentoo-dev 2004-09-13 06:25:20 UTC
Koon, as would be expected the -bin release now meets these keywords
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-09-13 10:37:52 UTC
openoffice-bin-1.1.2 currently has "x86 ~amd64" and needs "x86 ppc ~amd64"
openoffice-ximian-bin-1.1.53 (latest) is not 1.1.2-based

I didn't push ppc to mark stable on this since we have a temporary GLSA already and it would just be a silent GLSA update. If you feel confident they can make it I will ask them.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 13:37:07 UTC
GLSA 200405-04:02 now includes openoffice-bin 1.1.2 fixed version.