Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Sep 2004 18:04:58 -0400
From:      Joe Marcus Clarke <marcus@marcuscom.com>
To:        NAKATA Maho <chat95@mac.com>
Cc:        portmgr@FreeBSD.org
Subject:   Re: openoffice --- document disclosure
Message-ID:  <41476B0A.3060405@marcuscom.com>
In-Reply-To: <20040915.064258.730550294.chat95@mac.com>
References:  <20040914022410.GA83483@madman.celabo.org> <20040915.064258.730550294.chat95@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NAKATA Maho wrote:

| In Message-ID: <20040914022410.GA83483@madman.celabo.org>
| "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote:
|
| Hello nectar, and portmgr
|
| portmger: I would like to fix this problem as soon as possible,
| I confirmed that this security vulenrablity was fixed with patch.
| please approve
| o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir
| change Makefile to:
| o fcvs diff -u Makefile
| Index: Makefile
| ===================================================================
| RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v
| retrieving revision 1.164
| diff -u -r1.164 Makefile
| --- Makefile    31 Aug 2004 12:09:57 -0000      1.164
| +++ Makefile    14 Sep 2004 21:42:23 -0000
| @@ -36,6 +36,8 @@
|  USE_BISON=     yes
|  USE_GMAKE=     yes
|  USE_REINPLACE= yes
| +#mozilla 1.0 seems to have security vulnerability
| +WITHOUT_MOZILLA=       yes
|
|  .if !defined(WITHOUT_JAVA)
|  USE_JAVA=      1.4+
|
| ----------------------------------------------------------------------
|
|>This issue seems reasonably serious to me:
|>http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html
|
| okay. thank you very much for your report.
|
| One point.
| Affected packages
| 0 	<= 	ar-openoffice
| 0 	<= 	ca-openoffice
| 0 	<= 	cs-openoffice
| 0 	<= 	de-openoffice
| 0 	<= 	dk-openoffice
| 0 	<= 	el-openoffice
| 0 	<= 	es-openoffice
| 0 	<= 	et-openoffice
| 0 	<= 	fi-openoffice
| 0 	<= 	fr-openoffice
| 0 	<= 	gr-openoffice
| 0 	<= 	hu-openoffice
| 0 	<= 	it-openoffice
| 0 	<= 	ja-openoffice
| 0 	<= 	ko-openoffice
| 0 	<= 	nl-openoffice
| 0 	<= 	openoffice
| 0 	<= 	pl-openoffice
| 0 	<= 	pt-openoffice
| 0 	<= 	pt_BR-openoffice
| 0 	<= 	ru-openoffice
| 0 	<= 	se-openoffice
| 0 	<= 	sk-openoffice
| 0 	<= 	sl-openoffice-SI
| 0 	<= 	tr-openoffice
| 0 	<= 	zh-openoffice-CN
| 0 	<= 	zh-openoffice-TW
|
| openoffice and not openoffice-1.1?
| I think they should be *-openoffice-1.1-*.
| Currently I don't want to maintain OOo 1.0.3 ports since
| they shoule be obsolated, also openoffice-1.0 might not
| build for 5.3-RELEASE since there is a change in make(1).
|
|
|>Is it possible to have the OpenOffice ports patched before 5.3-RELEASE?
|
|
| I will commit the patch (slightly changed, though) by mmeeks
| at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357
|
| This patch was committed and confirmed that this risk is avoided.
| 1. Launch OpenOffice.
| 2. List /tmp contents. Locate the directory 'sv*.tmp'
| 3. Type in some contents in the document and save it.
| 4. List the contents of the directory /tmp/sv*.tmp/
| 5. Do not close OpenOffice. 'su' to a different user.
| 6. Copy the file under /tmp/sv*.tmp/ to home directory.
| -> Now Permission denied.
|
| BTW:
| OOo uses mozilla 1.0 runtime, and it also has security vulnerability.
| portsaudit tells and some discussios somewhere at opneoffice@freebsd.org
| and freebsd-users-jp@jp.freebsd.org (in Japanese).
| I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also.

Approved.

Joe

|
|
http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html
|
http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html
|
http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html
|
| Best regards,
| --nakata maho
|
|


- --
PGP Key : http://www.marcuscom.com/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBR2sKb2iPiv4Uz4cRAupIAJ4i8lsKj4gJzS/ufyDR9c+KaszC7QCgkW5J
QLXCGH+66cHPfJ7mT6yJhkA=
=wUXQ
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41476B0A.3060405>