Date: Thu, 22 Mar 2012 10:47:01 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: freebsd-office@FreeBSD.org Subject: Fwd: CVE-2012-0037: OpenOffice.org data leakage vulnerability Message-ID: <4F6B4975.2090203@FreeBSD.org> In-Reply-To: <CAP-ksoj7o5%2B2YH-E4XzR044V0e3YZfZvuef7eJuNGhdy%2Bk9kyA@mail.gmail.com> References: <CAP-ksoj7o5%2B2YH-E4XzR044V0e3YZfZvuef7eJuNGhdy%2Bk9kyA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
FYI. -------- Original Message -------- Subject: CVE-2012-0037: OpenOffice.org data leakage vulnerability Date: Thu, 22 Mar 2012 09:16:21 -0400 From: Rob Weir <robweir@apache.org> Reply-To: ooo-dev@incubator.apache.org To: ooo-users@incubator.apache.org Please note, this is the official security bulletin, targeted for security professionals. If you are an OpenOffice.org 3.3 user, and are able to apply the mentioned patch, then you are encouraged to do so. If someone else supports or manages your desktop, then please forward this information to them. Additional support is available on our Community Forums: http://user.services.openoffice.org/ And via our ooo-users mailing list: http://incubator.apache.org/openofficeorg/mailing-lists.html#users-mailing-list Note: This security patch for OpenOffice.org is made available to legacy OpenOffice.org users as a service by the Apache OpenOffice Project Management Committee. The patch is made available under the Apache License, and due to its importance, we are releasing it outside of the standard release cycle. -Rob -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2012-0037: OpenOffice.org data leakage vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms. Earlier versions may be also affected. Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties. Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the patch at: http://www.openoffice.org/security/cves/CVE-2012-0037.html This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012. Source and Building: Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org derivatives can be found here: http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt Credit: The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC. References: http://security.openoffice.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJPayGmAAoJEGFAoYdHzLzHJVcP/jXzY+ROwPTAaSItCc4GAn2q Gm3uL9D9aRrs/pp+sofRkF9L3nyWEyyVfvZv6+IBrqOU/2Tu1CD8cY6Kns1ZYxVO ZRDiR5hhr3pA6KfWlb9W9it/8JsTF7WZfTX0uRMPXCYlJuYQ38Nl7kloPYswXG2w By2J19VanlHuwLQJoNV08652HBDy2Xpa6Wk7N5NoyETILOS47QTgizjAYZ2AY0GE ykBFu9A9yblLM5zftuMT/4FxkHQ8Qx5I3NmV3V8cUgJlmbc2oscsC23iIPcoulJF GSn8tub/e47xzgpJy69NoHgzmb6Ou+J3BDXr0kmH008P6FaTpTgPTltZ8Fcua+T2 JSWjzW5IBOW/20J9RN+5lkDJQTY5FiqqpjV7H6bZV3+MVx3Fk/ih1uJPr2cVZqaT pDU5xtn79py7MNsmpjnzD7mPbdiA2OfStzFpqUM60HOki7RgGpozvUPEvA0uIss9 X/jP1KixPDdbGS2fMrM7KG9mnT8BOzwow0Vti7alP2x2BkTXZm2K/qflXJDFCxTn g23OJIxlnhC8cK4etyezWNMSya4LLMgz6ZO+TEdvCSaaF6b3t6seskgnFAMcdPHY bkfzzYnACtrvQAmRQ1Nn4i1yFGAY+cTE7sUO2NcFhHn6jXaiZFEatdh4XJEEcTXl OZE/3v6XnehMD/32kipa =/qce -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F6B4975.2090203>