Excerpt from the OpenOffice bugtracking system: When used with a vulnerable version of Neon, OOo is susceptible to buffer overflows from malicious DAV servers. (OpenOffice 1.0.x and 1.1.x) are affected.) Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. The issue in the OpenOffice bugtracking system: http://www.openoffice.org/issues/show_bug.cgi?id=27789 There is also an advisory from Secunia: http://secunia.com/advisories/11364/ CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179 This is obiously relatied to bug 47799 but I think it is not dependent because OpenOffice seem to use its own copy of the neon lib. (http://secunia.com/advisories/11363/) Workaround is not to use OpenOffice to connect to untrusted DAV-Servers. There are patches for OpenOffice 1.0.x and 1.1.x in the OpenOffice bugtracker, I will attach them to this bug.
Created attachment 29342 [details, diff] patch to fix 1.0.x versions of OOo, replaces neon.patch
Created attachment 29343 [details, diff] Fixes format string vulnerabilities in internal neon, replace current neon.patch
Comment on attachment 29343 [details, diff] Fixes format string vulnerabilities in internal neon, replace current neon.patch OK, this would be the fix for OpenOffice 1.1.x, I just forgot to mention it.
OpenOffice folks : your opinion on this one ? Do you think this patch can make it in a Gentoo openoffice[-bin] release ? -K
The patches provided here won't work, as they are for files in a tarball, but anyway, I will do patches for the source versions. Regarding -bin-versions there's not a lot we can do instead of waiting for the OOo-people to release an update version...
Is there any reason why gentoo could not provide a (-bin-version) for this pkg? If no viable upgrade path exists and it does not look like oo upstream is going to be jumping on putting out a new version then I'd personaly want to pkg mask the offending program (-bin-version only) in this case, solely in order to keep more people from installing it.
In my understanding, openoffice-bin is a packaging of the official binary from Oo.org, so if they don't release a new version, Gentoo can't have one either. As for masking : openoffice-bin is a widely used package and the vulnerability is very difficult to exploit (set up a malicious DAV server and convince people to connect to it ?), so I'm not sure. -K
I've now added the patch to the 1.1.x versions of openoffice and openoffice-ximian in cvs. As I've never handled a security related bug before: Should I rev-bump all versions now? Even for such big packages as OOo? About -bin: I would vote strongly against hardmasking them. I know this is an unfortunate situation, but too many people are using it, as not everybody has the possibilty to compile it (or wants to wait for a day on slower hardware). I think we could add a warning at the end of the emerge process as a workaround. About why we don't provide our own bins: Because it's a lot of work, if someone wants to take this on, fine ;-)
suka: Yes, you should rev-bump, otherwise we can't issue a GLSA on this. On openoffice-bin, I agree hard masking is maybe overkill, but others may have other opinions. My point of view is that we can talk about it in the partial GLSA we will issue, sth like "you use untrusted DAV servers, if you want to be protected, drop openoffice-bin, use openoffice instead" ?
Ok rev-bumped everything, the version table is for OOo: 1.1.0-r2 > 1.1.0-r4 1.1.0-r3 > 1.1.0-r5 1.1.1 > 1.1.1-r1 for OOo-ximian: 1.1.51 > 1.1.51-r1 The latest OOo-ximian-version (1.1.53) already includes the patch, so no need to do anything about that. About the bin: Just want to mention that the latest ooo-ximian-bin is also vulnerable
OK, so my suggestion is to list OOo-bin as an affected package in the GLSA and then make it clear in the description that folks only need to worry about this bug if they use untrusted webdav servers. The fix then would be for OOo-bin people to upgrade to OO-source.
suka: I have a doubt on the 1.0.3-r1 version (apparently latest stable on ppc). Does it include the security fix ? If it does, it should probably be rev-bumped to 1.0.3-r2 ? Current unaffected/affected table : x86 affected: openoffice <= 1.1.1, openoffice-ximian <= 1.1.51, openoffice-bin <= 1.1.1, openoffice-ximian-bin <= 1.1.52 x86 unaffected: openoffice >= 1.1.1-r1, openoffice-ximian >= 1.1.51-r1 ppc affected: openoffice <= 1.0.3-r1 ??, openoffice-ximian <= 1.1.51, openoffice-bin <= 1.1.1 ppc unaffected: openoffice >= 1.0.3-r1 ??, openoffice-ximian >= 1.1.51-r1 sparc affected: openoffice <= 1.1.0-r3 sparc unaffected: openoffice >= 1.1.0-r4 amd64 affected: openoffice-bin <= 1.1.1 amd64 unaffected: none... so we have a problem on amd64 because there is no source build in portage.
@Koon: Ooops, missed that one, 1.0.3-r2 is now in and includes the fix
GLSA drafted -- security@go : please review carefully as this one is rather complicated, in particular you should check that it doesn't break glsa-check :)
GLSA 200405-04
Reopening bug as OpenOffice 1.1.2 is out and lists CAN-2004-0179 in the fixed bugs list : http://download.openoffice.org/1.1.2/release_notes_1.1.2.html Using this bug to track that when oo-bin versions will be out, we will have to update GLSA 200405-04.
ooo-bin-1.1.2 is already in the tree since a few days
Great ! Do you know the status of ximian-openoffice-bin, is there a version we could put in ~x86 that includes the Neon fix ? Or should we just edit the GLSA about openoffice-bin only ?
not at the moment I am afraid, as 1.1.2 is now out I hope for a new version soon though, but we are depending on Ximian/Novell for that, so no timeline I can give you...
The GLSA will have to be updated when openoffice-bin-1.1.2 meets at least the following keywords : "x86 ppc ~amd64", and/or when a ximian-openoffice-bin based on 1.1.2 meets "~x86".
Koon, as would be expected the -bin release now meets these keywords
Paul: openoffice-bin-1.1.2 currently has "x86 ~amd64" and needs "x86 ppc ~amd64" openoffice-ximian-bin-1.1.53 (latest) is not 1.1.2-based I didn't push ppc to mark stable on this since we have a temporary GLSA already and it would just be a silent GLSA update. If you feel confident they can make it I will ask them.
GLSA 200405-04:02 now includes openoffice-bin 1.1.2 fixed version.
