OOo Security Patch Today - Does this affect NeoO?

[knutkja]

Got this mail today from OOo regarding vulnerability, does this affect NeoOffice/J???

regards,
knutkja

- - -

From: "Louis Suarez-Potts" <louis@openoffice.org>
Subject: [ooo-announce] NOTICE: Security Patch
Date: Fri, April 15, 2005 0:48
To: announce@openoffice.org,users@openoffice.org,"discuss" <discuss@openoffice.org>,dev@native-lang.openoffice.org

All,

A security vulnerability affecting OpenOffice.org 1.1.4 and earlier, as
well as 2.0beta, including the developer builds, was recently detected.
It has been fixed and a patch is available for immediate download for
all users of OpenOffice.org 1.1.4.

Users of earlier releases (1.1.3 and prior) must upgrade.

Users of 2.0beta are requested to download the latest beta,
OpenOffice.org 1.9.95. It will include the patch and be ready shortly.

Operating systems affected: All, including Linux, Solaris, Windows, Mac
OS X (X11) (NeoOffice/J users of the latest release are not affected.)
For other platforms, go to the Porting homepage for more information.

* Porting Project: <http://porting.openoffice.org/>

The patch can be found here:

<http://download.openoffice.org/1.1.4/security_patch.html>

installation is easy and instructions are on the page listed above.


We are requesting that all CD distributors and partners of
OpenOffice.org include the security patch. If you are not sure your
copy of OpenOffice.org 1.1.4 is secure, download the patch and be sure.

How serious is the problem? The problem resides in how OpenOffice.org
handles Microsoft Office .doc files. A malicious user could send such a
file as an attachment to you containing code that would allow them to
execute arbitrary commands on your computer should you open that
document in OpenOffice.org.

See the security advisory for more information:

<http://www.securityfocus.com/archive/1/395516>

Be safe by always making sure that you only open attachments from
trusted persons.

Regards,
The OpenOffice.org Team

[pluby]

Yes, since Neo/J is based on OOo 1..1.4, it has the same security bug.

Patrick

[ovvldc]

[pluby]

I will include the fix for the security bug in Neo/J 1.1 RC "Patch-2".

Patrick

[Guest]

Yeah, thank goodness for M$ "Security"!!!!! Isn't that a, what do they call it, an 'oxymoran'?

[jakeOSX]

[sardisson]

I don't actually see the Mac X11 patch at the porting/mac page (it's in the main patch download directory referenced for the other platforms); there seem to be some wording errors in that news release.

I suppose that if someone put some Mac code in their .doc that includes the heap overflow, then the Mac code could execute ("maybe cause arbitrary code excute" from the security advisory in the bug). But like other overflows, it seems people are much more likely to target Windows

Smokey

[OPENSTEP]

I still suspect that this "security issue" is overblown. A lot of it seems to me to be this tech "press" that loves to fearmonger about security vulnerabilities these days. Hell, I'm sure that there are buffer overflows lurking in lots of software

On Mac OS X there's only a limited amount of damage that any security flaw within OOo can cause since it runs under your own user account. In order to elevate your user account to root level access to modify the system the user account is required to go through sudo or Authentication Services to get access, requiring a manual password entry. While damage could still occur silently, it would still be limited to only things accessible from the user account under which the application is running.

Also of note is that due to the way Neo/J is installed, no flaw such as this one can result in portions of Neo/J being overwritten as it is owned by root and thus needs that sudo/authentication to be overwritten.

This security problem is actually worse on Windows where most folks still run as an Administrator all the time

ed

[knutkja]

Hi all,

Thanks for the response to my posting, and to Patrick who will fix the bug in the next patch.

I guess you are right regarding that security issues generally are out of proportions in the media. That was indeed the reason for me to post here - more of an public relation situation. I have a small website with info and links to Ooo and Neo/J to promote the work done and to challenge the public ignorance. And it's all about having the answers, isn't it?

I think that suggested security issues will be more frequent in the future, and will be battleground for the credibility of different products - and the ability to respond quickly to such issues (the products are all the same,with more or less the same functionality). The switch from Ms to open source software is hard enough for most without "doomsday scenarios" on security, real or not.

In Norway (where I live) the Socialist party (remember that the political paradigm in Europe is different from the US) has put open source software as one of their issues in the campaign for the national parliament and government election this fall. They want to challenge the Ms monopoly in the public sector and increase software comptetition in general. The Socialist party and the Labour party may win the election, the polls says.

regards,
Knut

[Jimmy Carter]

[sardisson]

[OPENSTEP]

Yup, it was already fixed. I suspect it won't be the last...it's not like anyone here (or probably within OOo either) has done an exhaustive security audit on the code like Theo did for OpenBSD.

I suppose the uber-paranoid could attempt to run OOo/NeoJ within a chroot jail (or any application for that matter). I am unsure if the Mac OS X environment allows the window server to respond to requests spawned from different user accounts. That's something I've never tried, and that'd be required to use NeoJ in a jail.

ed