Republished without change. This advisory, originally posted on 2015-11-04, died in a moderation queue and did not reach the list. The announce@openoffice.apache.org is the official mailing list for Apache OpenOffice security advisories, as specified at <http://www.openoffice.org/security/alerts.html>.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NOTICE: APACHE OPENOFFICE SECURITY ADVISORY CVE-2015-4551: TARGETED DATA DISCLOSURE FIXED IN APACHE OPENOFFICE 4.1.2 CVE-2015-4551 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4551> Apache OpenOffice Advisory <https://www.openoffice.org/security/cves/CVE-2015-4551.html> Title: Targeted Data Disclosure Version 1.0 Announced 2015-11-04 A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings. Once these files are imported into a maliciously-crafted document, the data can be silently hidden in the document and possibly exported to an external party without being observed. Severity: Important There are no known exploits of this vulnerability. A proof-of-concept demonstration exists. Vendor: The Apache Software Foundation Versions Affected: All Apache OpenOffice versions 4.1.1 and older are affected. OpenOffice.org versions are also affected. Related CVE-2014-3575 <https://www.openoffice.org/security/cves/CVE-2014-3575.html> CVE-2012-0037 <https://www.openoffice.org/security/cves/CVE-2012-0037.html> Mitigation Apache OpenOffice users are urged to download and install Apache OpenOffice version 4.1.2 or later. Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring in-document settings that over-ride default behavior when accessing data beyond the document itself. The automatic default behavior is changed to make such access evident to the user, who must then approve the access. Nature of Attack This vulnerability requires an exquisitely crafted attack to locate targeted files, silently retrieve them, and then deliver their data in a manner that escapes notice. Knowledge of the user's system and specific configuration is generally required. Precautions In addition to keeping Apache OpenOffice updated, users can reduce the threat of this kind of data access from ODF documents. Keep documents and sensitive materials separate from common, predictable locations, including on networks. Require additional access permissions for access to sensitive materials even when operating under the user's normal account. Further Information For additional information and assistance, consult the Apache OpenOffice Community Forums, <https://forum.openoffice.org/>, or make requests to the <mailto:us...@openoffice.apache.org> public mailing list. The latest information on Apache OpenOffice security bulletins can be found at <http://www.openoffice.org/security/bulletin.html>. Credits The Apache OpenOffice security team thanks Federico "fox" Scrinzi for reporting the defect and Stephan Bergmann of Red Hat for analysis and a repair solution. PGP key Fingerprint 04D0 4322 979B 84DE 1077 0334 F96E 89FF D456 628A <https://people.apache.org/keys/committer/orcmid.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWOpZCAAoJEPluif/UVmKKrI4H/0NqbgMzqfEVjXyFla2yjVKK DAHXd6/LlVTggSDWJxnUnBEqGbZH3Jchm9WNzAym9j1uuAU/XTHQdZr5OU0JAh6w W+9WcEvXSAUUx0eY+FZIZKAAinmSb9ITn5QjVnmYO7RDAULrl5/tC3TrVYbhPzdY 8cAzx0gy38HArFqJA/Gn89q25w5/1UwrO8rwQE9JmgCeAXiUFCbiurGxpqJxa9YI oo/pgs9CJfRVu6riRc2Sdglbc4g4gy9zip7F8lxa8diaJOA8ZGkxwNnIDUbX3jTH VVQ9ws6bQQzup7eLvV/LSdohGosWcOU2VM0mp3D8JIwq5TF5i7KBQmFFyC595k4= =gVz2 -----END PGP SIGNATURE-----