Date: Tue, 14 Sep 2004 18:04:58 -0400 From: Joe Marcus Clarke <marcus@marcuscom.com> To: NAKATA Maho <chat95@mac.com> Cc: portmgr@FreeBSD.org Subject: Re: openoffice --- document disclosure Message-ID: <41476B0A.3060405@marcuscom.com> In-Reply-To: <20040915.064258.730550294.chat95@mac.com> References: <20040914022410.GA83483@madman.celabo.org> <20040915.064258.730550294.chat95@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NAKATA Maho wrote: | In Message-ID: <20040914022410.GA83483@madman.celabo.org> | "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote: | | Hello nectar, and portmgr | | portmger: I would like to fix this problem as soon as possible, | I confirmed that this security vulenrablity was fixed with patch. | please approve | o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir | change Makefile to: | o fcvs diff -u Makefile | Index: Makefile | =================================================================== | RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v | retrieving revision 1.164 | diff -u -r1.164 Makefile | --- Makefile 31 Aug 2004 12:09:57 -0000 1.164 | +++ Makefile 14 Sep 2004 21:42:23 -0000 | @@ -36,6 +36,8 @@ | USE_BISON= yes | USE_GMAKE= yes | USE_REINPLACE= yes | +#mozilla 1.0 seems to have security vulnerability | +WITHOUT_MOZILLA= yes | | .if !defined(WITHOUT_JAVA) | USE_JAVA= 1.4+ | | ---------------------------------------------------------------------- | |>This issue seems reasonably serious to me: |>http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html | | okay. thank you very much for your report. | | One point. | Affected packages | 0 <= ar-openoffice | 0 <= ca-openoffice | 0 <= cs-openoffice | 0 <= de-openoffice | 0 <= dk-openoffice | 0 <= el-openoffice | 0 <= es-openoffice | 0 <= et-openoffice | 0 <= fi-openoffice | 0 <= fr-openoffice | 0 <= gr-openoffice | 0 <= hu-openoffice | 0 <= it-openoffice | 0 <= ja-openoffice | 0 <= ko-openoffice | 0 <= nl-openoffice | 0 <= openoffice | 0 <= pl-openoffice | 0 <= pt-openoffice | 0 <= pt_BR-openoffice | 0 <= ru-openoffice | 0 <= se-openoffice | 0 <= sk-openoffice | 0 <= sl-openoffice-SI | 0 <= tr-openoffice | 0 <= zh-openoffice-CN | 0 <= zh-openoffice-TW | | openoffice and not openoffice-1.1? | I think they should be *-openoffice-1.1-*. | Currently I don't want to maintain OOo 1.0.3 ports since | they shoule be obsolated, also openoffice-1.0 might not | build for 5.3-RELEASE since there is a change in make(1). | | |>Is it possible to have the OpenOffice ports patched before 5.3-RELEASE? | | | I will commit the patch (slightly changed, though) by mmeeks | at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357 | | This patch was committed and confirmed that this risk is avoided. | 1. Launch OpenOffice. | 2. List /tmp contents. Locate the directory 'sv*.tmp' | 3. Type in some contents in the document and save it. | 4. List the contents of the directory /tmp/sv*.tmp/ | 5. Do not close OpenOffice. 'su' to a different user. | 6. Copy the file under /tmp/sv*.tmp/ to home directory. | -> Now Permission denied. | | BTW: | OOo uses mozilla 1.0 runtime, and it also has security vulnerability. | portsaudit tells and some discussios somewhere at opneoffice@freebsd.org | and freebsd-users-jp@jp.freebsd.org (in Japanese). | I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also. Approved. Joe | | http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html | http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html | http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html | | Best regards, | --nakata maho | | - -- PGP Key : http://www.marcuscom.com/pgp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBR2sKb2iPiv4Uz4cRAupIAJ4i8lsKj4gJzS/ufyDR9c+KaszC7QCgkW5J QLXCGH+66cHPfJ7mT6yJhkA= =wUXQ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41476B0A.3060405>