On 11/22/2011 06:59 AM, Miyoshi Omori wrote: > OK. > > Clean up is after 3.4.3. > Migrating to 3.4 is difficult, but have to do. > Nice to solve this problem. > > Thank you
However... There has been no change to these links regarding 3.3.4: http://www.libreoffice.org/advisories/CVE-2011-2713/ [Despite the fact that Huzaifa Sidhpurwala reported that it is not a security issue and "notabug" on 5-Oct-2011 (the same day as the LO announcement)] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713 * cpe:/a:sun:openoffice.org:3.3.0 * cpe:/a:libreoffice:libreoffice:3.3.0 * cpe:/a:libreoffice:libreoffice:3.3.1 * cpe:/a:libreoffice:libreoffice:3.3.2 * cpe:/a:libreoffice:libreoffice:3.3.3 * cpe:/a:libreoffice:libreoffice:3.3.4 * cpe:/a:libreoffice:libreoffice:3.4.0 * cpe:/a:libreoffice:libreoffice:3.4.1 * cpe:/a:libreoffice:libreoffice:3.4.2 and previous versions * Denotes Vulnerable Software In an earlier thread I specifically asked about 3.3.4 on 12 Oct: <http://comments.gmane.org/gmane.comp.documentfoundation.discuss/7035> where I was informed that the "security fix" was backported to 3.3.4. So I don't know what to believe. Gary Lee (NoOp) > > 2011/11/22 NoOp <gl...@sbcglobal.net> > >> On 11/20/2011 07:26 AM, Volker Merschmann wrote: >> > Hi, >> > >> > 2011/11/20 Miyoshi Omori <miyoshi.om...@gmail.com>: >> >> Hello, >> >> My request is about information security. >> >> >> >> Security issues have already been announced as, CVE-2011-2713 >> >> corresponds to a comment. >> >> TDF as information, but said that it had been made LibreOffice >> >> 3.4.3 and 3.3.4 fixed. >> >> According to NIST report >> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713, >> >> 3.3.4 is classified as a vulnerable version on this security issue. >> >> If it is incorrect, could you formally request a modification of >> >> information as TDF. >> >> As a user, it is also a serious problem. >> > >> > Thanks for reporting, I also think the information about 3.3.4 is >> > incorrect there. >> > >> > Your mail has been forwarded to the security team. >> > >> > >> > Volker >> > >> > >> >> https://bugzilla.redhat.com/show_bug.cgi?id=725668 >> [(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC >> sprm parser] >> Status: CLOSED NOTABUG >> https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14 >> >> <quote> >> Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT >> >> It initially appeared that this flaw may be exploitable similar to >> CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However >> in >> the case of this particular flaw, the junk data read is just parsed into an >> internal representation of properties and the maximum harm this should >> cause in >> application crash (Denial Of Service). >> >> Timeline: >> - Reported to securityt...@openoffice.org on 25-July-2011 >> - Recieved a reply (with tdf-secur...@lists.documentfoundation.org >> copied) on >> the same date >> - Release date changed with a few delays in between >> - Release on 5-Oct-2011 >> >> >> Statement: >> >> This issue results in an OOB read which is not exploitable for arbitrary >> code >> execution and can simply cause a crash. We do not consider this as a >> security >> issue. >> </quote> >> >> >> >> -- >> Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org >> Problems? >> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ >> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette >> List archive: http://listarchives.documentfoundation.org/www/discuss/ >> All messages sent to this list will be publicly archived and cannot be >> deleted >> >> > -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
