SecurityTracker Alert ID: 1011205 SecurityTracker URL: http://securitytracker.com/id?1011205 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Sep 10 2004 Impact: Disclosure of user information Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes Version(s): 1.1.2 Description: A vulnerability was reported in OpenOffice. A local user may be able to obtain documents belonging to another local user. pmladek reported that the software uses insecure temporary files. When started, OpenOffice creates a world-readable temporary directory ('/tmp/sv<RAND>.tmp'). When an OpenOffice file is saved, a compressed version (zip file) is saved in the temporary directory. A local user can access the temporary directory and obtain the file. Impact: A local user can obtain information belonging to another local user. Solution: The vendor has issued a fix, available via CVS. Vendor URL: www.openoffice.org/issues/show_bug.cgi?id=33357 (Links to External Site) Cause: Access control error, State error Underlying OS: Linux (Any), UNIX (Any) Message History: None. Reproducible: Always Steps to Reproduce:
OpenOffice team, please confirm fix
see also http://secunia.com/advisories/12302/
CAN-2004-0752 fixed for Red Hat (RHSA-2004:446-08) SA12302: "Solution: The vulnerability has been fixed in Product Update 3 for StarOffice and a release candidate of OpenOffice 1.1.3."
OpenOffice team, please comment on the status of a fix for this
To me this really is a minor issue, I think we can wait until 1.1.3 is out.
setting status to [upstream] 1.1.3 seems to be coming soon
This is already fixed in openoffice-ximian-1.3.4
Mandrake just released their fix: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:103
going back to ebuild status, since 1.1.3 has been released
OpenOffice team, could you please comment on the bug when the OOo ebuilds have reached stable security, any votes on a GLSA since this is rated B4?
I think we should issue a GLSA. This package is very common, it leaks complete documents and is really easy. RedHat and Mandrake released advisories on this too.
Oops... well actually time for some testing and stable marking... Since only 1.1.2 is said to be affected, we will need the following: openoffice-bin-1.1.3: current KEYWORDS="~x86" target KEYWORDS="x86 amd64" openoffice-1.1.3: current KEYWORDS="~x86" target KEYWORDS="x86" _____ openoffice-ximian-1.3.4: target KEYWORDS="~x86 ~ppc" reached already openoffice-ximian-bin only has 1.1.53, no work needed either
stable on amd64
Any progress on marking this stable on x86 so far? This has been in [stable] status for 5 days and has been opened about a month ago already.
openoffice and openoffice-bin 1.1.3 are now stable on x86, still there is a lot to do: *) Need to mark a newer openoffice-ximian stable on x86, the current stable doesn't have the fix. Just commited a new version into unstable which I hope to mark stable in the next few days. *) There is no version of openoffice-ximian-bin which is not vulnerable, as we are depending on upstream binaries (in this case from Ximian) and there is no newer version, I am going to mask it at whole in package.mask until we get a newer binary *) Other archs will have to check all three package: openoffice-bin: ppc (now at 1.1.1) openoffice: sparc (1.1.0-r4), ppc (1.0.3-r2!) openoffice-ximian: ppc (1.1.55), sparc (1.1.61)
openoffice-ximian-bin is now masked, people should upgrade to a recent openoffice-ximian
Arches... please test and mark stable if possible... to be on the safe side we should end up with: openoffice-1.1.3: current KEYWORDS="x86" target KEYWORDS="x86 sparc ppc" openoffice-bin-1.1.3: current KEYWORDS="x86 amd64" target KEYWORDS="x86 amd64 ppc" openoffice-ximian-1.3.5-r1: current KEYWORDS="~x86 ~ppc" target KEYWORDS="x86 ppc sparc"
Hmmm... In fact we don't need as much, since only 1.1.2 versions are affected. openoffice and openoffice-bin already have the necessary keywords ! For openoffice-ximian it's slightly more complicated, as we don't "see" the oo version used. In fact we have: 1.1.55 -> 1.1.1 (unaffected) 1.1.61, -> 1.1.2 (affected) 1.3.4, 1.3.5 -> 1.1.2 but patched (unaffected) So we just need for openoffice-ximian-1.3.5-r1: current KEYWORDS="~x86 ~ppc" target KEYWORDS="x86 ~ppc sparc" All in all, only x86 and sparc still have keywording work (removing ppc). However, all arches can/should test and mark stable the latest version if they can.
So just to be straight, regular plain old openoffice-1.1.1 is not vulnerable, correct? I'm just asking as 1.1.2 and 1.1.3 have build problems on sparc right now and on a good day when things do compile, it takes about 36 hours or so to build.
Yes, 1.1.1 OO.org (and 1.1.1-derived ximian-OO.org) is not vulnerable. The ppc/gcc3.4/OO113.org build problem does not block this security bug.
Just marked openoffice-ximian 1.3.5-r1 stable, so x86 should be fine
openoffice-ximian-1.3.5-r1 stable on sparc.
So we should be set... vorlon, please draft :)
Andreas, wrt comment #15, ximian-openoffice-bin-1.1.53 is 1.1.1-based, right ? So it wouldn't be affected by this vulnerability ? If so, there would be no need for security masking (feel free to keep the mask for other reasons). Please confirm as our GLSA contents depend on it...
@Koon: Yes you are right, my fault, will unmask it again. Thanks for noting
GLSA 200410-17