From owner-freebsd-openoffice@FreeBSD.ORG  Tue Sep 14 21:43:02 2004
Return-Path: <owner-freebsd-openoffice@FreeBSD.ORG>
Delivered-To: freebsd-openoffice@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BE2FE16A4CE; Tue, 14 Sep 2004 21:43:02 +0000 (GMT)
Received: from satie.private.org (YahooBB219196184005.bbtec.net
	[219.196.184.5])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2AEAC43D46; Tue, 14 Sep 2004 21:43:02 +0000 (GMT)
	(envelope-from chat95@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by satie.private.org (8.12.10/8.12.10) with ESMTP id i8ELgw89007414;
	Wed, 15 Sep 2004 06:42:58 +0900 (JST)
	(envelope-from chat95@mac.com)
Date: Wed, 15 Sep 2004 06:42:58 +0900 (JST)
Message-Id: <20040915.064258.730550294.chat95@mac.com>
To: nectar@FreeBSD.org, portmgr@FreeBSD.org
From: NAKATA Maho <chat95@mac.com>
In-Reply-To: <20040914022410.GA83483@madman.celabo.org>
References: <20040914022410.GA83483@madman.celabo.org>
Organization: private
X-Mailer: Mew version 3.3 on XEmacs 21.4.14 (Reasonable Discussion)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: openoffice@FreeBSD.org
Subject: Re: openoffice --- document disclosure
X-BeenThere: freebsd-openoffice@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting OpenOffice to FreeBSD <freebsd-openoffice.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-openoffice>,
	<mailto:freebsd-openoffice-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-openoffice>
List-Post: <mailto:freebsd-openoffice@freebsd.org>
List-Help: <mailto:freebsd-openoffice-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-openoffice>,
	<mailto:freebsd-openoffice-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2004 21:43:03 -0000

In Message-ID: <20040914022410.GA83483@madman.celabo.org> 
"Jacques A. Vidrine" <nectar@FreeBSD.org> wrote:

Hello nectar, and portmgr

portmger: I would like to fix this problem as soon as possible,
I confirmed that this security vulenrablity was fixed with patch.
please approve 
o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir
change Makefile to:
o fcvs diff -u Makefile
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v
retrieving revision 1.164
diff -u -r1.164 Makefile
--- Makefile    31 Aug 2004 12:09:57 -0000      1.164
+++ Makefile    14 Sep 2004 21:42:23 -0000
@@ -36,6 +36,8 @@
 USE_BISON=     yes
 USE_GMAKE=     yes
 USE_REINPLACE= yes
+#mozilla 1.0 seems to have security vulnerability
+WITHOUT_MOZILLA=       yes
 
 .if !defined(WITHOUT_JAVA)
 USE_JAVA=      1.4+

----------------------------------------------------------------------
> This issue seems reasonably serious to me:
> http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html
okay. thank you very much for your report.

One point.
Affected packages
0 	<= 	ar-openoffice
0 	<= 	ca-openoffice
0 	<= 	cs-openoffice
0 	<= 	de-openoffice
0 	<= 	dk-openoffice
0 	<= 	el-openoffice
0 	<= 	es-openoffice
0 	<= 	et-openoffice
0 	<= 	fi-openoffice
0 	<= 	fr-openoffice
0 	<= 	gr-openoffice
0 	<= 	hu-openoffice
0 	<= 	it-openoffice
0 	<= 	ja-openoffice
0 	<= 	ko-openoffice
0 	<= 	nl-openoffice
0 	<= 	openoffice
0 	<= 	pl-openoffice
0 	<= 	pt-openoffice
0 	<= 	pt_BR-openoffice
0 	<= 	ru-openoffice
0 	<= 	se-openoffice
0 	<= 	sk-openoffice
0 	<= 	sl-openoffice-SI
0 	<= 	tr-openoffice
0 	<= 	zh-openoffice-CN
0 	<= 	zh-openoffice-TW

openoffice and not openoffice-1.1?
I think they should be *-openoffice-1.1-*.
Currently I don't want to maintain OOo 1.0.3 ports since
they shoule be obsolated, also openoffice-1.0 might not
build for 5.3-RELEASE since there is a change in make(1).

> Is it possible to have the OpenOffice ports patched before 5.3-RELEASE?

I will commit the patch (slightly changed, though) by mmeeks
at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357

This patch was committed and confirmed that this risk is avoided.
1. Launch OpenOffice.
2. List /tmp contents. Locate the directory 'sv*.tmp'
3. Type in some contents in the document and save it.
4. List the contents of the directory /tmp/sv*.tmp/
5. Do not close OpenOffice. 'su' to a different user.
6. Copy the file under /tmp/sv*.tmp/ to home directory.
-> Now Permission denied.

BTW:
OOo uses mozilla 1.0 runtime, and it also has security vulnerability.
portsaudit tells and some discussios somewhere at opneoffice@freebsd.org
and freebsd-users-jp@jp.freebsd.org (in Japanese).
I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also.

http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html
http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html
http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html

Best regards,
--nakata maho