From owner-freebsd-openoffice@FreeBSD.ORG Tue Sep 14 22:05:04 2004 Return-Path: Delivered-To: freebsd-openoffice@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E38C216A4CE; Tue, 14 Sep 2004 22:05:03 +0000 (GMT) Received: from copernicus.clarkeadvertising.com (copernicus.clarkeadvertising.com [63.243.39.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F84C43D39; Tue, 14 Sep 2004 22:05:03 +0000 (GMT) (envelope-from marcus@marcuscom.com) Received: from creme-brulee.marcuscom.com (creme-brulee.marcuscom [24.172.16.118] (may be forged))i8EM51CJ096206; Tue, 14 Sep 2004 18:05:01 -0400 (EDT) (envelope-from marcus@marcuscom.com) Received: from [10.2.1.2] (vpn-client-2.marcuscom.com [10.2.1.2]) i8EM3vRN090085; Tue, 14 Sep 2004 18:03:58 -0400 (EDT) (envelope-from marcus@marcuscom.com) Message-ID: <41476B0A.3060405@marcuscom.com> Date: Tue, 14 Sep 2004 18:04:58 -0400 From: Joe Marcus Clarke Organization: MarcusCom, Inc. User-Agent: Mozilla Thunderbird 0.7.3 (Macintosh/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: NAKATA Maho References: <20040914022410.GA83483@madman.celabo.org> <20040915.064258.730550294.chat95@mac.com> In-Reply-To: <20040915.064258.730550294.chat95@mac.com> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on copernicus.clarkeadvertising.com cc: nectar@FreeBSD.org cc: openoffice@FreeBSD.org cc: portmgr@FreeBSD.org Subject: Re: openoffice --- document disclosure X-BeenThere: freebsd-openoffice@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting OpenOffice to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 22:05:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NAKATA Maho wrote: | In Message-ID: <20040914022410.GA83483@madman.celabo.org> | "Jacques A. Vidrine" wrote: | | Hello nectar, and portmgr | | portmger: I would like to fix this problem as soon as possible, | I confirmed that this security vulenrablity was fixed with patch. | please approve | o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir | change Makefile to: | o fcvs diff -u Makefile | Index: Makefile | =================================================================== | RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v | retrieving revision 1.164 | diff -u -r1.164 Makefile | --- Makefile 31 Aug 2004 12:09:57 -0000 1.164 | +++ Makefile 14 Sep 2004 21:42:23 -0000 | @@ -36,6 +36,8 @@ | USE_BISON= yes | USE_GMAKE= yes | USE_REINPLACE= yes | +#mozilla 1.0 seems to have security vulnerability | +WITHOUT_MOZILLA= yes | | .if !defined(WITHOUT_JAVA) | USE_JAVA= 1.4+ | | ---------------------------------------------------------------------- | |>This issue seems reasonably serious to me: |>http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html | | okay. thank you very much for your report. | | One point. | Affected packages | 0 <= ar-openoffice | 0 <= ca-openoffice | 0 <= cs-openoffice | 0 <= de-openoffice | 0 <= dk-openoffice | 0 <= el-openoffice | 0 <= es-openoffice | 0 <= et-openoffice | 0 <= fi-openoffice | 0 <= fr-openoffice | 0 <= gr-openoffice | 0 <= hu-openoffice | 0 <= it-openoffice | 0 <= ja-openoffice | 0 <= ko-openoffice | 0 <= nl-openoffice | 0 <= openoffice | 0 <= pl-openoffice | 0 <= pt-openoffice | 0 <= pt_BR-openoffice | 0 <= ru-openoffice | 0 <= se-openoffice | 0 <= sk-openoffice | 0 <= sl-openoffice-SI | 0 <= tr-openoffice | 0 <= zh-openoffice-CN | 0 <= zh-openoffice-TW | | openoffice and not openoffice-1.1? | I think they should be *-openoffice-1.1-*. | Currently I don't want to maintain OOo 1.0.3 ports since | they shoule be obsolated, also openoffice-1.0 might not | build for 5.3-RELEASE since there is a change in make(1). | | |>Is it possible to have the OpenOffice ports patched before 5.3-RELEASE? | | | I will commit the patch (slightly changed, though) by mmeeks | at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357 | | This patch was committed and confirmed that this risk is avoided. | 1. Launch OpenOffice. | 2. List /tmp contents. Locate the directory 'sv*.tmp' | 3. Type in some contents in the document and save it. | 4. List the contents of the directory /tmp/sv*.tmp/ | 5. Do not close OpenOffice. 'su' to a different user. | 6. Copy the file under /tmp/sv*.tmp/ to home directory. | -> Now Permission denied. | | BTW: | OOo uses mozilla 1.0 runtime, and it also has security vulnerability. | portsaudit tells and some discussios somewhere at opneoffice@freebsd.org | and freebsd-users-jp@jp.freebsd.org (in Japanese). | I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also. Approved. Joe | | http://www.FreeBSD.org/ports/portaudit/730db824-e216-11d8-9b0a-000347a4fa7d.html | http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.html | http://www.FreeBSD.org/ports/portaudit/abe47a5a-e23c-11d8-9b0a-000347a4fa7d.html | | Best regards, | --nakata maho | | - -- PGP Key : http://www.marcuscom.com/pgp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBR2sKb2iPiv4Uz4cRAupIAJ4i8lsKj4gJzS/ufyDR9c+KaszC7QCgkW5J QLXCGH+66cHPfJ7mT6yJhkA= =wUXQ -----END PGP SIGNATURE-----