Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 May 2015 10:16:53 -0700 (PDT)
From:      Don Lewis <truckman@FreeBSD.org>
To:        bdrewery@FreeBSD.org
Cc:        ports-committers@FreeBSD.org, svn-ports-all@FreeBSD.org, svn-ports-head@FreeBSD.org
Subject:   Re: svn commit: r385792 - in head/editors/openoffice-4: . files
Message-ID:  <201505081716.t48HGrZZ027294@gw.catspoiler.org>
In-Reply-To: <554CDD81.8040900@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On  8 May, Bryan Drewery wrote:
> On 5/8/2015 10:58 AM, Don Lewis wrote:
>> Author: truckman
>> Date: Fri May  8 15:58:38 2015
>> New Revision: 385792
>> URL: https://svnweb.freebsd.org/changeset/ports/385792
>> 
>> Log:
>>   Add a patch to fix the HWP filter vulnerability documented in
>>   CVE-2015-1774 and
>>   <http://www.openoffice.org/security/cves/CVE-2015-1774.html>;
>>   
>>   Approved by:	mat (mentor)
>>   MFH:		2015Q2
>>   Security:	b13af778-f4fc-11e4-a95d-ac9e174be3af
>>   Differential Revision:	https://reviews.freebsd.org/D2478
> 
> Needs a vuxml entry.

Committed it yesterday in r385716:

<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
  <vuln vid="b13af778-f4fc-11e4-a95d-ac9e174be3af">
    <topic>Vulnerablitiy in HWP document filter</topic>
    <affects>
      <package>
        <name>libreoffice</name>
        <range><lt>4.3.7</lt></range>
      </package>
      <package>
        <name>apache-openoffice</name>
        <name>apache-openoffice-devel</name>
        <range><lt>4.1.1_9</lt></range>
        <range><lt>4.2.1677190,3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>US-CERT/NIST reports:</p>
        <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2
015-1774">
          <p>The HWP filter in LibreOffice before 4.3.7 and 4.4.x before
            4.4.2 and Apache OpenOffice before 4.1.2 allows remote
            attackers to cause a denial of service (crash) or possibly
            execute arbitrary code via a crafted HWP document, which
            triggers an out-of-bounds write.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-1774</cvename>
      <url>http://www.openoffice.org/security/cves/CVE-2015-1774.html</url>;
      <url>https://www.libreoffice.org/about-us/security/advisories/cve-2015-177
4/</url>
    </references>
    <dates>
      <discovery>2015-04-27</discovery>
      <entry>2015-05-07</entry>
    </dates>
  </vuln>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505081716.t48HGrZZ027294>