On 03/26/2007 12:48 AM, John Rotomano wrote: > Well no > > we are talking here about a second security issue taht has come up days > after the one you refer to, which is the bug in libwpd, a library for > handling WordPerfect documents that is included in OpenOffice.org, that > has indeed benn patched. > > As far as I know, there is still no patch for the security issue > affecting calc documents > > It seems that the more people use OpenOffice the more 'pirates' try and > find vulnerabilities. So, I wonder whether Ooo will become a bit like > MSoffice, where vulnerabilities are discovered almost every day, and > some of them stay unpatched for ...weeks!!!! > Though, I guess, since Ooo is open source it must be eaier to discover > security vulnerabilities, because any malicious person can read the code > and find holes > > > NoOp wrote: >> On 03/25/2007 03:26 PM, Dan Lewis wrote: >> >>> As new as this is (March 22, 2007), it will take a little time >>> before much is said. At least that is my guess. >>> If the problem in Calc is a macro, then there is certain level >>> of security already built into Calc. Every Calc containing a macro >>> that is opened begins with a warning that the file contains a macro. >>> The person then has a choice as to whether to allow the macro(s) to >>> run or to disable the macro(s). >>> This problem is perhaps a very good reason why this warning >>> should never be disabled. >>> >>> Dan >> >> Perhaps if the 'reporters' of this security issue would follow through & >> monitor the status they will find that this issue has been corrected & >> patched already: >> >> http://www.debian.org/security/2007/dsa-1270 >> http://secunia.com/product/13657/?task=advisories_2007
Ummm... http://www.heise-security.co.uk/news/87204 ==== Up to now, no patched version of OpenOffice has been released. Users of OpenOffice are therefore advised to refrain from opening any documents that are not explicitly from trustworthy sources. ==== I presume that they are talking about: * CVE-2007-0238 Next Generation Security discovered that the StarCalc parser in OpenOffice.org contains an easily exploitable stack overflow that could be used exploited by a specially crafted document to execute arbitrary code. >From the link in the same above article: http://www.debian.org/security/2007/dsa-1270 ==== More information: Several security related problems have been discovered in OpenOffice.org, the free office suite. The Common Vulnerabilities and Exposures project identifies the following problems: * CVE-2007-0002 iDefense reported several integer overflow bugs in libwpd, a library for handling WordPerfect documents that is included in OpenOffice.org. Attackers are able to exploit these with carefully crafted WordPerfect files that could cause an application linked with libwpd to crash or possibly execute arbitrary code. * CVE-2007-0238 Next Generation Security discovered that the StarCalc parser in OpenOffice.org contains an easily exploitable stack overflow that could be used exploited by a specially crafted document to execute arbitrary code. * CVE-2007-0239 It has been reported that OpenOffice.org does not escape shell meta characters and is hence vulnerable to execute arbitrary shell commands via a specially crafted document after the user clicked to a prepared link. For the stable distribution (sarge) these problems have been fixed in version 1.1.3-9sarge6. For the testing distribution (etch) these problems have been fixed in version 2.0.4.dfsg.2-6. For the unstable distribution (sid) these problems have been fixed in version 2.0.4.dfsg.2-6. We recommend that you upgrade your OpenOffice.org packages. Fixed in: ^^^^^^^^ ==== --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
