Date: prev next · Thread: first prev next last
2011 Archives by date, by thread · List index


On 11/22/2011 06:59 AM, Miyoshi Omori wrote:
OK.

Clean up is after 3.4.3.
Migrating to 3.4 is difficult, but have to do.
Nice to solve this problem.

Thank you

However... There has been no change to these links regarding 3.3.4:
http://www.libreoffice.org/advisories/CVE-2011-2713/
[Despite the fact that Huzaifa Sidhpurwala reported that it is not a
security issue and "notabug" on 5-Oct-2011 (the same day as the LO
announcement)]
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713
* cpe:/a:sun:openoffice.org:3.3.0
* cpe:/a:libreoffice:libreoffice:3.3.0
* cpe:/a:libreoffice:libreoffice:3.3.1
* cpe:/a:libreoffice:libreoffice:3.3.2
* cpe:/a:libreoffice:libreoffice:3.3.3
* cpe:/a:libreoffice:libreoffice:3.3.4
* cpe:/a:libreoffice:libreoffice:3.4.0
* cpe:/a:libreoffice:libreoffice:3.4.1
* cpe:/a:libreoffice:libreoffice:3.4.2 and previous versions
* Denotes Vulnerable Software

In an earlier thread I specifically asked about 3.3.4 on 12 Oct:
<http://comments.gmane.org/gmane.comp.documentfoundation.discuss/7035>
where I was informed that the "security fix" was backported to 3.3.4.
So I don't know what to believe.

Gary Lee (NoOp)



2011/11/22 NoOp <glgxg@sbcglobal.net>

On 11/20/2011 07:26 AM, Volker Merschmann wrote:
Hi,

2011/11/20 Miyoshi Omori <miyoshi.omori@gmail.com>:
Hello,
My request is  about information security.

Security issues have already been announced as, CVE-2011-2713
corresponds to a comment.
TDF as information, but said that it had been made LibreOffice
3.4.3 and 3.3.4  fixed.
According to NIST report
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713,
3.3.4 is classified as a vulnerable version on this security issue.
If it is incorrect, could you formally request a modification of
information as TDF.
As a user, it is also a serious problem.

Thanks for reporting, I also think the information about 3.3.4 is
incorrect there.

Your mail has been forwarded to the security team.


Volker



https://bugzilla.redhat.com/show_bug.cgi?id=725668
[(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC
sprm parser]
Status:         CLOSED NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14

<quote>
Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT

It initially appeared that this flaw may be exploitable similar to
CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However
in
the case of this particular flaw, the junk data read is just parsed into an
internal representation of properties and the maximum harm this should
cause in
application crash (Denial Of Service).

Timeline:
- Reported to securityteam@openoffice.org on 25-July-2011
- Recieved a reply (with tdf-security@lists.documentfoundation.org
copied) on
the same date
- Release date changed with a few delays in between
- Release on 5-Oct-2011


Statement:

This issue results in an OOB read which is not exploitable for arbitrary
code
execution and can simply cause a crash. We do not consider this as a
security
issue.
</quote>



--
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be
deleted






-- 
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.