200771 – (CVE-2007-4575) app-office/openoffice(-bin) < 2.3.1 HSQLDB database Java code execution (CVE-2007-4575)

Bug 200771 (CVE-2007-4575) - app-office/openoffice(-bin) < 2.3.1 HSQLDB database Java code execution (CVE-2007-4575)

Summary: app-office/openoffice(-bin) < 2.3.1 HSQLDB database Java code execution (CVE-...

Status:	RESOLVED FIXED

Alias:	CVE-2007-4575

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/27928/
Whiteboard:	A2 [glsa]
Keywords:

Duplicates (1):	201338 (view as bug list)
Depends on:
Blocks:

Reported:	2007-11-29 20:11 UTC by Robert Buchholz (RETIRED)
Modified:	2008-03-06 09:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-29 20:11:31 UTC

Thomas Biege:
  A security vulnerability in HSQLDB, the default database engine shipped
  with OpenOffice.org, may allow a remote unprivileged user who provides a
  StarOffice database document that is opened by a local user to execute
  arbitrary Java code on the system with the privileges of the user
  running OpenOffice.org.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-05 10:27:14 UTC

*** Bug 201338 has been marked as a duplicate of this bug. ***

Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-05 10:29:30 UTC

public now. Openoffice herd, please provide an updated ebuild.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-12-05 10:39:37 UTC

We have it in the tree.

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-05 10:46:03 UTC

Arches(In reply to comment #3)
> We have it in the tree.
> 
oops :)
Arches, please test and mark stable ap-office/openoffice-2.3.1 (ppc x86) and app-office/openoffice-bin-2.3.1 (amd64 x86)

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2007-12-06 07:47:20 UTC

-bin stable for x86, source to come (in some hours, anyone else can do it meanwhile)

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2007-12-06 19:00:07 UTC

x86 stable

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2007-12-06 21:29:51 UTC

ppc stable

Comment 8 Peter Weller (RETIRED) gentoo-dev

2007-12-08 22:02:04 UTC

amd64 done

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-08 23:31:06 UTC

glsarequestfiled

Comment 10 Andreas Proschofsky (RETIRED) gentoo-dev

2007-12-09 00:16:39 UTC

Vulnerable ebuilds are gone from the tree

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-30 18:32:05 UTC

GLSA 200712-25, thanks everyone.

Comment 12 Peter Volkov (RETIRED) gentoo-dev

2008-03-06 09:52:40 UTC

Does not affect current (2008.0) release. Removing release.