Date: Tue, 14 Sep 2004 18:29:05 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: NAKATA Maho <chat95@mac.com> Cc: portmgr@FreeBSD.org Subject: Re: openoffice --- document disclosure Message-ID: <20040914232905.GD95323@madman.celabo.org> In-Reply-To: <20040915.064258.730550294.chat95@mac.com> References: <20040914022410.GA83483@madman.celabo.org> <20040915.064258.730550294.chat95@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 15, 2004 at 06:42:58AM +0900, NAKATA Maho wrote: > In Message-ID: <20040914022410.GA83483@madman.celabo.org> > "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote: > > Hello nectar, and portmgr > > portmger: I would like to fix this problem as soon as possible, > I confirmed that this security vulenrablity was fixed with patch. > please approve > o adding /usr/ports/editors/openoffice-1.1/files/patch-security-tmp-dir > change Makefile to: > o fcvs diff -u Makefile > Index: Makefile > =================================================================== > RCS file: /home/pcvs/ports/editors/openoffice-1.1/Makefile,v > retrieving revision 1.164 > diff -u -r1.164 Makefile > --- Makefile 31 Aug 2004 12:09:57 -0000 1.164 > +++ Makefile 14 Sep 2004 21:42:23 -0000 > @@ -36,6 +36,8 @@ > USE_BISON= yes > USE_GMAKE= yes > USE_REINPLACE= yes > +#mozilla 1.0 seems to have security vulnerability > +WITHOUT_MOZILLA= yes > > .if !defined(WITHOUT_JAVA) > USE_JAVA= 1.4+ > > ---------------------------------------------------------------------- > > This issue seems reasonably serious to me: > > http://vuxml.freebsd.org/c62dc69f-05c8-11d9-b45d-000c41e2cdad.html > okay. thank you very much for your report. And thanks very much for handling! > > One point. > Affected packages > 0 <= ar-openoffice > 0 <= ca-openoffice > 0 <= cs-openoffice > 0 <= de-openoffice > 0 <= dk-openoffice > 0 <= el-openoffice > 0 <= es-openoffice > 0 <= et-openoffice > 0 <= fi-openoffice > 0 <= fr-openoffice > 0 <= gr-openoffice > 0 <= hu-openoffice > 0 <= it-openoffice > 0 <= ja-openoffice > 0 <= ko-openoffice > 0 <= nl-openoffice > 0 <= openoffice > 0 <= pl-openoffice > 0 <= pt-openoffice > 0 <= pt_BR-openoffice > 0 <= ru-openoffice > 0 <= se-openoffice > 0 <= sk-openoffice > 0 <= sl-openoffice-SI > 0 <= tr-openoffice > 0 <= zh-openoffice-CN > 0 <= zh-openoffice-TW > > openoffice and not openoffice-1.1? > I think they should be *-openoffice-1.1-*. > Currently I don't want to maintain OOo 1.0.3 ports since > they shoule be obsolated, also openoffice-1.0 might not > build for 5.3-RELEASE since there is a change in make(1). Actually there are so many version in the ports tree that I'm not sure that they are all covered. Assistance here would be appreciated. If you are not going to correct OOo 1.0.3, that's fine... we just need to make sure that we do specify the *corrected* version numbers. e.g., I guess now that you have committed a fix, you must bump PORTREVISION and the VuXML entry needs to be changed to `< 1.1.2_1' for the appropriate ports. Which packages are affected by your commit? Obviously `openoffice', but which language specific ones? All of them? > > Is it possible to have the OpenOffice ports patched before 5.3-RELEASE? > > I will commit the patch (slightly changed, though) by mmeeks > at the IZ: http://www.openoffice.org/issues/show_bug.cgi?id=33357 > > This patch was committed and confirmed that this risk is avoided. > 1. Launch OpenOffice. > 2. List /tmp contents. Locate the directory 'sv*.tmp' > 3. Type in some contents in the document and save it. > 4. List the contents of the directory /tmp/sv*.tmp/ > 5. Do not close OpenOffice. 'su' to a different user. > 6. Copy the file under /tmp/sv*.tmp/ to home directory. > -> Now Permission denied. > > BTW: > OOo uses mozilla 1.0 runtime, and it also has security vulnerability. > portsaudit tells and some discussios somewhere at opneoffice@freebsd.org > and freebsd-users-jp@jp.freebsd.org (in Japanese). > I'll mark as WITHOUT_MOZILLA for a while so as to avoid this problem also. Hmm, OK. Yesterday I entered VuXML information about several Mozilla vulnerabilities that affected many different version of Mozilla. I also know of about 8 more that I've yet to document. It will be difficult to determine which of these actually affect OpenOffice, so it may be best to fix them... Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040914232905.GD95323>