Date: Wed, 15 Sep 2004 06:42:58 +0900 (JST) From: NAKATA Maho <chat95@mac.com> To: nectar@FreeBSD.org, portmgr@FreeBSD.org Cc: openoffice@FreeBSD.org Subject: Re: openoffice --- document disclosure Message-ID: <20040915.064258.730550294.chat95@mac.com> In-Reply-To: <20040914022410.GA83483@madman.celabo.org> References: <20040914022410.GA83483@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In Message-ID: <20040914022410.GA83483@madman.celabo.org> "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote: Hello nectar, and portmgr portmger: I would like to fix this problem as soon as possible, I confirmed that this security vulenrablity was fixed with patch. please approve o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir change Makefile to: o fcvs diff -u Makefile Index: Makefile =================================================================== RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v retrieving revision 1.164 diff -u -r1.164 Makefile --- Makefile 31 Aug 2004 12:09:57 -0000 1.164 +++ Makefile 14 Sep 2004 21:42:23 -0000 @@ -36,6 +36,8 @@ USE_BISON= yes USE_GMAKE= yes USE_REINPLACE= yes +#mozilla 1.0 seems to have security vulnerability +WITHOUT_MOZILLA= yes .if !defined(WITHOUT_JAVA) USE_JAVA= 1.4+ ---------------------------------------------------------------------- > This issue seems reasonably serious to me: > http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html okay. thank you very much for your report. One point. Affected packages 0 <= ar-openoffice 0 <= ca-openoffice 0 <= cs-openoffice 0 <= de-openoffice 0 <= dk-openoffice 0 <= el-openoffice 0 <= es-openoffice 0 <= et-openoffice 0 <= fi-openoffice 0 <= fr-openoffice 0 <= gr-openoffice 0 <= hu-openoffice 0 <= it-openoffice 0 <= ja-openoffice 0 <= ko-openoffice 0 <= nl-openoffice 0 <= openoffice 0 <= pl-openoffice 0 <= pt-openoffice 0 <= pt_BR-openoffice 0 <= ru-openoffice 0 <= se-openoffice 0 <= sk-openoffice 0 <= sl-openoffice-SI 0 <= tr-openoffice 0 <= zh-openoffice-CN 0 <= zh-openoffice-TW openoffice and not openoffice-1.1? I think they should be *-openoffice-1.1-*. Currently I don't want to maintain OOo 1.0.3 ports since they shoule be obsolated, also openoffice-1.0 might not build for 5.3-RELEASE since there is a change in make(1). > Is it possible to have the OpenOffice ports patched before 5.3-RELEASE? I will commit the patch (slightly changed, though) by mmeeks at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357 This patch was committed and confirmed that this risk is avoided. 1. Launch OpenOffice. 2. List /tmp contents. Locate the directory 'sv*.tmp' 3. Type in some contents in the document and save it. 4. List the contents of the directory /tmp/sv*.tmp/ 5. Do not close OpenOffice. 'su' to a different user. 6. Copy the file under /tmp/sv*.tmp/ to home directory. -> Now Permission denied. BTW: OOo uses mozilla 1.0 runtime, and it also has security vulnerability. portsaudit tells and some discussios somewhere at opneoffice@freebsd.org and freebsd-users-jp@jp.freebsd.org (in Japanese). I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also. http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html Best regards, --nakata maho
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040915.064258.730550294.chat95>