From owner-freebsd-openoffice@FreeBSD.ORG Tue Sep 14 23:29:26 2004 Return-Path: Delivered-To: freebsd-openoffice@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1552816A4CE; Tue, 14 Sep 2004 23:29:26 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 800A343D39; Tue, 14 Sep 2004 23:29:25 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id E36EA54861; Tue, 14 Sep 2004 18:29:24 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 53398-10; Tue, 14 Sep 2004 18:29:13 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id B18F55485D; Tue, 14 Sep 2004 18:29:13 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 7B9166D466; Tue, 14 Sep 2004 18:29:05 -0500 (CDT) Date: Tue, 14 Sep 2004 18:29:05 -0500 From: "Jacques A. Vidrine" To: NAKATA Maho Message-ID: <20040914232905.GD95323@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , NAKATA Maho , portmgr@FreeBSD.org, openoffice@FreeBSD.org References: <20040914022410.GA83483@madman.celabo.org> <20040915.064258.730550294.chat95@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040915.064258.730550294.chat95@mac.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: openoffice@FreeBSD.org cc: portmgr@FreeBSD.org Subject: Re: openoffice --- document disclosure X-BeenThere: freebsd-openoffice@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting OpenOffice to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2004 23:29:26 -0000 On Wed, Sep 15, 2004 at 06:42:58AM +0900, NAKATA Maho wrote: > In Message-ID: <20040914022410.GA83483@madman.celabo.org> > "Jacques A. Vidrine" wrote: > > Hello nectar, and portmgr > > portmger: I would like to fix this problem as soon as possible, > I confirmed that this security vulenrablity was fixed with patch. > please approve > o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir > change Makefile to: > o fcvs diff -u Makefile > Index: Makefile > =================================================================== > RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v > retrieving revision 1.164 > diff -u -r1.164 Makefile > --- Makefile 31 Aug 2004 12:09:57 -0000 1.164 > +++ Makefile 14 Sep 2004 21:42:23 -0000 > @@ -36,6 +36,8 @@ > USE_BISON= yes > USE_GMAKE= yes > USE_REINPLACE= yes > +#mozilla 1.0 seems to have security vulnerability > +WITHOUT_MOZILLA= yes > > .if !defined(WITHOUT_JAVA) > USE_JAVA= 1.4+ > > ---------------------------------------------------------------------- > > This issue seems reasonably serious to me: > > http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html > okay. thank you very much for your report. And thanks very much for handling! > > One point. > Affected packages > 0 <= ar-openoffice > 0 <= ca-openoffice > 0 <= cs-openoffice > 0 <= de-openoffice > 0 <= dk-openoffice > 0 <= el-openoffice > 0 <= es-openoffice > 0 <= et-openoffice > 0 <= fi-openoffice > 0 <= fr-openoffice > 0 <= gr-openoffice > 0 <= hu-openoffice > 0 <= it-openoffice > 0 <= ja-openoffice > 0 <= ko-openoffice > 0 <= nl-openoffice > 0 <= openoffice > 0 <= pl-openoffice > 0 <= pt-openoffice > 0 <= pt_BR-openoffice > 0 <= ru-openoffice > 0 <= se-openoffice > 0 <= sk-openoffice > 0 <= sl-openoffice-SI > 0 <= tr-openoffice > 0 <= zh-openoffice-CN > 0 <= zh-openoffice-TW > > openoffice and not openoffice-1.1? > I think they should be *-openoffice-1.1-*. > Currently I don't want to maintain OOo 1.0.3 ports since > they shoule be obsolated, also openoffice-1.0 might not > build for 5.3-RELEASE since there is a change in make(1). Actually there are so many version in the ports tree that I'm not sure that they are all covered. Assistance here would be appreciated. If you are not going to correct OOo 1.0.3, that's fine... we just need to make sure that we do specify the *corrected* version numbers. e.g., I guess now that you have committed a fix, you must bump PORTREVISION and the VuXML entry needs to be changed to `< 1.1.2_1' for the appropriate ports. Which packages are affected by your commit? Obviously `openoffice', but which language specific ones? All of them? > > Is it possible to have the OpenOffice ports patched before 5.3-RELEASE? > > I will commit the patch (slightly changed, though) by mmeeks > at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357 > > This patch was committed and confirmed that this risk is avoided. > 1. Launch OpenOffice. > 2. List /tmp contents. Locate the directory 'sv*.tmp' > 3. Type in some contents in the document and save it. > 4. List the contents of the directory /tmp/sv*.tmp/ > 5. Do not close OpenOffice. 'su' to a different user. > 6. Copy the file under /tmp/sv*.tmp/ to home directory. > -> Now Permission denied. > > BTW: > OOo uses mozilla 1.0 runtime, and it also has security vulnerability. > portsaudit tells and some discussios somewhere at opneoffice@freebsd.org > and freebsd-users-jp@jp.freebsd.org (in Japanese). > I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also. Hmm, OK. Yesterday I entered VuXML information about several Mozilla vulnerabilities that affected many different version of Mozilla. I also know of about 8 more that I've yet to document. It will be difficult to determine which of these actually affect OpenOffice, so it may be best to fix them... Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org