Until the analysis of the situation is available at < http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713> there is not much useful information.
My limited understanding is that the bug is in the import of Microsoft Word .doc documents into LibreOffice. Unless this bug was introduced by changes since the fork to LibreOffice, it should be presumed to apply to all existing releases of OpenOffice.org as well. It is unclear whether there is an exploitable vulnerability as a result of the bug. The announcement suggests "this flaw could have been used for nefarious purposes, such as installing viruses, through a specially-crafted file." Since the analysis for CVE-2011-2713 does not appear to be available yet, it is not clear - whether and how the out-of-bounds property read can be used to achieve code execution, - whether there is a proof-of-concept for an exploit and - whether or not there has ever been a successful exploit. I cannot assess the urgency to upgrade to LibreOffice 3.4.3 expressed in the announcement. The post on the foundation blog was created by Italo Vignoli. I regard Italo as a responsible individual. I look forward to more-detailed clarification of <http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/>. My personal advice is that users of existing OpenOffice.org releases be careful to limit their use of Word .doc files to ones from known and trustworthy sources. Additional portions of the announcement are less clear. I don't doubt that security is being improved, I just can't tell from that level of information what risk that leaves for users of earlier releases of LibreOffice and OpenOffice.org. When more is known about the prospective impact on users of the software, more can be provided. - Dennis -----Original Message----- From: FR web forum [mailto:[email protected]] Sent: Thursday, October 06, 2011 01:27 To: [email protected] Subject: Re: Vulnerability fixed in LibreOffice > Anyone can post to anyone's security list. But they are private lists. It > is the part where discretion must occur in handling vulnerabilities until > >the fix is in and a CVE is posted that happens privately and that might work > better with some shared membership on the security lists. On AOOo, the >PPMC > is aware of any resolution that works into code, because of the way a > security fix gets committed into a release. Sorry but I'm not a developper. Could you just tell me if OOo 3.3 and future 3.4 are concerned. I must to inform end-users on the FR forum
