Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Dear Mr. Duerr, I recognized today, that the latest version of OpenOffice is 4.1.1. Therefore I do not understand your message. Best regards Gunter Stadie Am 25.04.2015 um 21:13 schrieb Herbert Duerr: CVE-2015-1774 OpenOffice HWP Filter Remote Code Execution and Denial of Service Vulnerability A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. Severity: Important Vendor: The Apache Software Foundation Versions Affected: All Apache OpenOffice versions 4.1.1 and older are affected. Mitigation: Apache OpenOffice users are advised to remove the problematic library in the program folder of their OpenOffice installation. On Windows it is named hwp.dll, on Mac it is named libhwp.dylib and on Linux it is named libhwp.so. Alternatively the library can be renamed to anything else e.g. hwp_renamed.dll. This mitigation will drop AOO's support for documents created in Hangul Word Processor versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so. Apache OpenOffice aims to fix the vulnerability in version 4.1.2. Credits: Thanks to an anonymous contributor working with VeriSign iDefense Labs.
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
And another Sent from my iPad On Apr 25, 2015, at 1:11 PM, Herbert Duerr h...@apache.org wrote: CVE-2015-1774 OpenOffice HWP Filter Remote Code Execution and Denial of Service Vulnerability A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. Severity: Important Vendor: The Apache Software Foundation Versions Affected: All Apache OpenOffice versions 4.1.1 and older are affected. Mitigation: Apache OpenOffice users are advised to remove the problematic library in the program folder of their OpenOffice installation. On Windows it is named hwp.dll, on Mac it is named libhwp.dylib and on Linux it is named libhwp.so. Alternatively the library can be renamed to anything else e.g. hwp_renamed.dll. This mitigation will drop AOO's support for documents created in Hangul Word Processor versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so. Apache OpenOffice aims to fix the vulnerability in version 4.1.2. Credits: Thanks to an anonymous contributor working with VeriSign iDefense Labs. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
On 29/04/15 21:53, Marcus wrote: Am 04/29/2015 05:39 PM, schrieb jan i: On 29 April 2015 at 15:07, Simon Phippssi...@webmink.com wrote: On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescettipesce...@apache.org wrote: Simon Phipps wrote: Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? This looks like a very extreme measure to take. The severity of the issue would not justify it. Can you explain that please? The CVE says Severity: Important and the effects are a denial of service or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. The fact we are unaware of current exploits does not mitigate the risk arising from distributing the software, and the rarity of the file format does not reduce the likelihood of it being used in an exploit. Maybe I am missing some of the context from the private security list? It seems to be an extremely seldom used feature, that makes the exploit unlikely. I am with Andrea, stopping downloads would not be right in this case. +1 I also don't see this as a reason to stop to offer downloads. stopping the downloads is completely exaggerated. I personally never have seen such a file besides test documents in real life. We have a simple and effective work around in place. Even Korean community members on our l10n list have mentioned that the format is no longer relevant. And of course we have analyzed the exploit and have decided to either fix it for the next release or as currently discussed to drop it completely to get away a further obsolete format. Why I don't wonder from whom this idea is coming ;-) And Simon to be serious we take security issues very serious. So for every one who want to write something about security in AOO, security issues were and still are a serious and important topic for AOO and we analyze and decide what to do for every single security issue. Juergen - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? Few of the people downloading the package will be aware of this CVE or of the necessary mitigation post-install. S. On Sat, Apr 25, 2015 at 8:13 PM, Herbert Duerr h...@apache.org wrote: CVE-2015-1774 OpenOffice HWP Filter Remote Code Execution and Denial of Service Vulnerability A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. Severity: Important Vendor: The Apache Software Foundation Versions Affected: All Apache OpenOffice versions 4.1.1 and older are affected. Mitigation: Apache OpenOffice users are advised to remove the problematic library in the program folder of their OpenOffice installation. On Windows it is named hwp.dll, on Mac it is named libhwp.dylib and on Linux it is named libhwp.so. Alternatively the library can be renamed to anything else e.g. hwp_renamed.dll. This mitigation will drop AOO's support for documents created in Hangul Word Processor versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so. Apache OpenOffice aims to fix the vulnerability in version 4.1.2. Credits: Thanks to an anonymous contributor working with VeriSign iDefense Labs. -- *Simon Phipps* http://webmink.com *Office:* +1 (415) 683-7660 *or* +44 (238) 098 7027 *Mobile*: +44 774 776 2816 *or Telegram https://telegram.me/webmink*
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti pesce...@apache.org wrote: Simon Phipps wrote: Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? This looks like a very extreme measure to take. The severity of the issue would not justify it. Can you explain that please? The CVE says Severity: Important and the effects are a denial of service or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. The fact we are unaware of current exploits does not mitigate the risk arising from distributing the software, and the rarity of the file format does not reduce the likelihood of it being used in an exploit. Maybe I am missing some of the context from the private security list? Thanks, S.
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Simon Phipps wrote: Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? This looks like a very extreme measure to take. The severity of the issue would not justify it. As far as I know, there are no known exploits and we are talking about a file format that is obsolete by all means. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
On 29 April 2015 at 15:07, Simon Phipps si...@webmink.com wrote: On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti pesce...@apache.org wrote: Simon Phipps wrote: Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? This looks like a very extreme measure to take. The severity of the issue would not justify it. Can you explain that please? The CVE says Severity: Important and the effects are a denial of service or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. The fact we are unaware of current exploits does not mitigate the risk arising from distributing the software, and the rarity of the file format does not reduce the likelihood of it being used in an exploit. Maybe I am missing some of the context from the private security list? It seems to be an extremely seldom used feature, that makes the exploit unlikely. I am with Andrea, stopping downloads would not be right in this case. rgds jan I. Thanks, S.
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Am 04/29/2015 05:39 PM, schrieb jan i: On 29 April 2015 at 15:07, Simon Phippssi...@webmink.com wrote: On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescettipesce...@apache.org wrote: Simon Phipps wrote: Given this problem is not fixed in the current download, should the project suspend downloads until it can be addressed? This looks like a very extreme measure to take. The severity of the issue would not justify it. Can you explain that please? The CVE says Severity: Important and the effects are a denial of service or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. The fact we are unaware of current exploits does not mitigate the risk arising from distributing the software, and the rarity of the file format does not reduce the likelihood of it being used in an exploit. Maybe I am missing some of the context from the private security list? It seems to be an extremely seldom used feature, that makes the exploit unlikely. I am with Andrea, stopping downloads would not be right in this case. +1 I also don't see this as a reason to stop to offer downloads. Marcus - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
On 29/04/15 13:00, Andrea Pescetti wrote: issue would not justify it. As far as I know, there are no known exploits and we are talking about a file format that is obsolete by all Is this vulnerability exploited only by opening a file in HWP format, or can it be exploited by any file? jonathon signature.asc Description: OpenPGP digital signature
RE: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Andreas, Simply wait, for now, I think. It sometimes takes quite a while for updates to be placed at the Mitre CVE entry. - Dennis -Original Message- From: Andrea Pescetti [mailto:pesce...@apache.org] Sent: Sunday, April 26, 2015 09:23 To: dev@openoffice.apache.org Subject: Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability On 25/04/2015 Herbert Duerr wrote: CVE-2015-1774 OpenOffice HWP Filter Remote Code Execution and Denial of Service [ ... ] Note that the CVE link http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774 still lists this vulnerability number as reserved. Should the link be different? Or should we simply wait that it is made public? Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
CVE-2015-1774 OpenOffice HWP Filter Remote Code Execution and Denial of Service Vulnerability A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format. Severity: Important Vendor: The Apache Software Foundation Versions Affected: All Apache OpenOffice versions 4.1.1 and older are affected. Mitigation: Apache OpenOffice users are advised to remove the problematic library in the program folder of their OpenOffice installation. On Windows it is named hwp.dll, on Mac it is named libhwp.dylib and on Linux it is named libhwp.so. Alternatively the library can be renamed to anything else e.g. hwp_renamed.dll. This mitigation will drop AOO's support for documents created in Hangul Word Processor versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so. Apache OpenOffice aims to fix the vulnerability in version 4.1.2. Credits: Thanks to an anonymous contributor working with VeriSign iDefense Labs. signature.asc Description: OpenPGP digital signature