On 11/22/2011 06:59 AM, Miyoshi Omori wrote:
OK.
Clean up is after 3.4.3.
Migrating to 3.4 is difficult, but have to do.
Nice to solve this problem.
Thank you
However... There has been no change to these links regarding 3.3.4:
http://www.libreoffice.org/advisories/CVE-2011-2713/
[Despite the fact that Huzaifa Sidhpurwala reported that it is not a
security issue and "notabug" on 5-Oct-2011 (the same day as the LO
announcement)]
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713
* cpe:/a:sun:openoffice.org:3.3.0
* cpe:/a:libreoffice:libreoffice:3.3.0
* cpe:/a:libreoffice:libreoffice:3.3.1
* cpe:/a:libreoffice:libreoffice:3.3.2
* cpe:/a:libreoffice:libreoffice:3.3.3
* cpe:/a:libreoffice:libreoffice:3.3.4
* cpe:/a:libreoffice:libreoffice:3.4.0
* cpe:/a:libreoffice:libreoffice:3.4.1
* cpe:/a:libreoffice:libreoffice:3.4.2 and previous versions
* Denotes Vulnerable Software
In an earlier thread I specifically asked about 3.3.4 on 12 Oct:
<http://comments.gmane.org/gmane.comp.documentfoundation.discuss/7035>
where I was informed that the "security fix" was backported to 3.3.4.
So I don't know what to believe.
Gary Lee (NoOp)
2011/11/22 NoOp <glgxg@sbcglobal.net>
On 11/20/2011 07:26 AM, Volker Merschmann wrote:
Hi,
2011/11/20 Miyoshi Omori <miyoshi.omori@gmail.com>:
Hello,
My request is about information security.
Security issues have already been announced as, CVE-2011-2713
corresponds to a comment.
TDF as information, but said that it had been made LibreOffice
3.4.3 and 3.3.4 fixed.
According to NIST report
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713,
3.3.4 is classified as a vulnerable version on this security issue.
If it is incorrect, could you formally request a modification of
information as TDF.
As a user, it is also a serious problem.
Thanks for reporting, I also think the information about 3.3.4 is
incorrect there.
Your mail has been forwarded to the security team.
Volker
https://bugzilla.redhat.com/show_bug.cgi?id=725668
[(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC
sprm parser]
Status: CLOSED NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14
<quote>
Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT
It initially appeared that this flaw may be exploitable similar to
CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However
in
the case of this particular flaw, the junk data read is just parsed into an
internal representation of properties and the maximum harm this should
cause in
application crash (Denial Of Service).
Timeline:
- Reported to securityteam@openoffice.org on 25-July-2011
- Recieved a reply (with tdf-security@lists.documentfoundation.org
copied) on
the same date
- Release date changed with a few delays in between
- Release on 5-Oct-2011
Statement:
This issue results in an OOB read which is not exploitable for arbitrary
code
execution and can simply cause a crash. We do not consider this as a
security
issue.
</quote>
--
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be
deleted
--
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.