https://issues.apache.org/ooo/show_bug.cgi?id=119152
--- Comment #9 from Armin Le Grand <[email protected]> --- ALG: Hi Malte! Thanks for the comments. I investigated further on what happens when those temp files for graphic swapping are read/written. The temp files are not directly usable as graphic data at all, the graphic data is embedded in extra data the mechanism in AOO is writing around it, so we have no direct/simple vulnerability at all; someone who wants to use this already needs special knowledge. You can try yourself: - New Draw/Impress - add picture (e.g. some *.jpg) - new page, wait a little bit -> graphic gets swapped out - find temp file, copy somewhere, rename to *.jpg -> cannot be used directly With some work also encryption could be added, but it's a question of ressources and also will make swap performance less effective. Thus it is questionable if direct action for now is necessary from my POV. -- You are receiving this mail because: You are on the CC list for the bug.
