Posted: Fri Apr 15, 2005 5:20 am Post subject: OOo Security Patch Today - Does this affect NeoO?
Got this mail today from OOo regarding vulnerability, does this affect NeoOffice/J???
regards,
knutkja
- - -
From: "Louis Suarez-Potts" <louis@openoffice.org>
Subject: [ooo-announce] NOTICE: Security Patch
Date: Fri, April 15, 2005 0:48
To: announce@openoffice.org,users@openoffice.org,"discuss" <discuss@openoffice.org>,dev@native-lang.openoffice.org
All,
A security vulnerability affecting OpenOffice.org 1.1.4 and earlier, as
well as 2.0beta, including the developer builds, was recently detected.
It has been fixed and a patch is available for immediate download for
all users of OpenOffice.org 1.1.4.
Users of earlier releases (1.1.3 and prior) must upgrade.
Users of 2.0beta are requested to download the latest beta,
OpenOffice.org 1.9.95. It will include the patch and be ready shortly.
Operating systems affected: All, including Linux, Solaris, Windows, Mac
OS X (X11) (NeoOffice/J users of the latest release are not affected.)
For other platforms, go to the Porting homepage for more information.
installation is easy and instructions are on the page listed above.
We are requesting that all CD distributors and partners of
OpenOffice.org include the security patch. If you are not sure your
copy of OpenOffice.org 1.1.4 is secure, download the patch and be sure.
How serious is the problem? The problem resides in how OpenOffice.org
handles Microsoft Office .doc files. A malicious user could send such a
file as an attachment to you containing code that would allow them to
execute arbitrary commands on your computer should you open that
document in OpenOffice.org.
See the security advisory for more information:
<http://www.securityfocus.com/archive/1/395516>
Be safe by always making sure that you only open attachments from
trusted persons.
Posted: Fri Apr 15, 2005 6:46 am Post subject: Re: OOo Security Patch Today - Does this affect NeoO?
knutkja wrote:
Got this mail today from OOo regarding vulnerability, does this affect NeoOffice/J???
As it affects a general OOo component, that is used on all platforms, I would suppose it does affect Neo/J.
Patrick, should we get this, or will you include it in the next Patch? _________________ "What do you think of Western Civilization?"
"I think it would be a good idea!"
- Mohandas Karamchand Gandhi
Posted: Fri Apr 15, 2005 7:33 am Post subject: Re: OOo Security Patch Today - Does this affect NeoO?
knutkja wrote:
Operating systems affected: All, including Linux, Solaris, Windows, Mac OS X (X11) (NeoOffice/J users of the latest release are not affected.) For other platforms, go to the Porting homepage for more information.
from what you posted...
though i am glad that patrick will be including the patch, I'm curious what, if anything, could be done to affect OSX.
I don't actually see the Mac X11 patch at the porting/mac page (it's in the main patch download directory referenced for the other platforms); there seem to be some wording errors in that news release.
I suppose that if someone put some Mac code in their .doc that includes the heap overflow, then the Mac code could execute ("maybe cause arbitrary code excute" from the security advisory in the bug). But like other overflows, it seems people are much more likely to target Windows
Smokey _________________ "[...] whether the duck drinks hot chocolate or coffee is irrelevant." -- ovvldc and sardisson in the NeoWiki
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Fri Apr 15, 2005 9:18 pm Post subject:
I still suspect that this "security issue" is overblown. A lot of it seems to me to be this tech "press" that loves to fearmonger about security vulnerabilities these days. Hell, I'm sure that there are buffer overflows lurking in lots of software
On Mac OS X there's only a limited amount of damage that any security flaw within OOo can cause since it runs under your own user account. In order to elevate your user account to root level access to modify the system the user account is required to go through sudo or Authentication Services to get access, requiring a manual password entry. While damage could still occur silently, it would still be limited to only things accessible from the user account under which the application is running.
Also of note is that due to the way Neo/J is installed, no flaw such as this one can result in portions of Neo/J being overwritten as it is owned by root and thus needs that sudo/authentication to be overwritten.
This security problem is actually worse on Windows where most folks still run as an Administrator all the time
Thanks for the response to my posting, and to Patrick who will fix the bug in the next patch.
I guess you are right regarding that security issues generally are out of proportions in the media. That was indeed the reason for me to post here - more of an public relation situation. I have a small website with info and links to Ooo and Neo/J to promote the work done and to challenge the public ignorance. And it's all about having the answers, isn't it?
I think that suggested security issues will be more frequent in the future, and will be battleground for the credibility of different products - and the ability to respond quickly to such issues (the products are all the same,with more or less the same functionality). The switch from Ms to open source software is hard enough for most without "doomsday scenarios" on security, real or not.
In Norway (where I live) the Socialist party (remember that the political paradigm in Europe is different from the US) has put open source software as one of their issues in the campaign for the national parliament and government election this fall. They want to challenge the Ms monopoly in the public sector and increase software comptetition in general. The Socialist party and the Labour party may win the election, the polls says.
... The Socialist party and the Labour party may win the election, the polls says.
regards,
Knut
Hah!, good thing Norway pollitics is different than the US, otherwise I wouldn't bet the farm on it. Over here, on paper, the other guy won the election but you know what happened...
Joined: May 25, 2003 Posts: 4752 Location: Santa Barbara, CA
Posted: Sat Apr 16, 2005 4:26 pm Post subject:
Yup, it was already fixed. I suspect it won't be the last...it's not like anyone here (or probably within OOo either) has done an exhaustive security audit on the code like Theo did for OpenBSD.
I suppose the uber-paranoid could attempt to run OOo/NeoJ within a chroot jail (or any application for that matter). I am unsure if the Mac OS X environment allows the window server to respond to requests spawned from different user accounts. That's something I've never tried, and that'd be required to use NeoJ in a jail.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum