Vulnerabilities in Open Office

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.

Vulnerabilities in Open Office

Postby Husse on Thu Nov 06, 2008 7:33 am

Some vulnerabilities and a security issue have been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system, and by malicious, local users to perform certain actions with escalated privileges.
This is for WMF files, certain EMR records of EMF files and the "senddoc" script uses temporary files in an insecure manner
--------------------
The vulnerabilities are reported in 2.x versions prior to 2.4.2.
--------------------
The version in Elyssa is 2.4.1 which means all Mint versions of Open office are vulnerable
The version in the repositories is 2.4.1
Version 2.4.2 can be downloaded directly, it is no .deb file but tar.gz which means that installing is not straightforward
http://download.openoffice.org/2.4.2/index.html
Edit// I should have added that if you don't use the above mentioned there is no need to do anything and I really only recommend upgrading if you use senddoc heavily.
Source
http://secunia.com/Advisories/32419/
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19710
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Linux Mint is funded by ads and donations.
 

Re: Vulnerabilities in Open Office

Postby ElQuia on Thu Nov 06, 2008 9:10 am

Huuse: why not jump to OO 3.0 ?. I don´t know about security, but I´ve been using it on Vista x64 and Ubuntu Studio X64 and its terrific... just an idea ...
ElQuia
Level 2
Level 2
 
Posts: 54
Joined: Wed Oct 01, 2008 8:19 am
Location: Córdoba - Argentina

Re: Vulnerabilities in Open Office

Postby the_punisher on Thu Nov 06, 2008 1:40 pm

yeah man thats what i wanna know why stick with 2.4? when they have launched 3.0
User avatar
the_punisher
Level 2
Level 2
 
Posts: 71
Joined: Tue Aug 26, 2008 2:28 am

Re: Vulnerabilities in Open Office

Postby cmost on Thu Nov 06, 2008 4:37 pm

You guys do realize that you can install OO 3.0 yourselves at any time. First, use the package manager to completely remove all traces of the native Linux Mint OO. Then, simply fetch the latest DEB packages from here: http://download.openoffice.org/other.html#en-US

Unpack the tarball in your home directory; enter the resulting directory; open a gnome-terminal and issue the following command:
sudo dpkg -i *.deb

Next, go into the desktop integration folder and issue the same command. Viola...the latest Openoffice.org for Linux Mint.
cmost
Level 4
Level 4
 
Posts: 398
Joined: Tue Sep 18, 2007 7:36 am
Location: Newport, Kentucky

Re: Vulnerabilities in Open Office

Postby ElQuia on Thu Nov 06, 2008 4:49 pm

Just did that. On Mint x64. Works OK!!!, Gnome integration and all. Now I just have to download the dictionaries and some templates.

Had to work a while to find all traces of all OO. Uninstallation. This is a point in which linux has to walk some miles yet. No newbie can do a real clean uninstall ...

Idea: Mint is ahead of other distros in installation ease. Why not work some on UNinstallation?

BUT: what I meant in my original post is why keep up with 2.41/42 in the repos or mint install and not migrate NOW to 3.0????
ElQuia
Level 2
Level 2
 
Posts: 54
Joined: Wed Oct 01, 2008 8:19 am
Location: Córdoba - Argentina

Re: Vulnerabilities in Open Office

Postby LinuxForever on Thu Nov 06, 2008 6:30 pm

Husse wrote:This is for WMF files, certain EMR records of EMF files and the "senddoc" script uses temporary files in an insecure manner


I never use any WMF files, certain EMR records of EMF files and the "senddoc" script. Do I still have anything to worry about? Should I upgrade to OO 3.0 anyway? Thanks for any help.
LinuxForever
Level 3
Level 3
 
Posts: 136
Joined: Tue May 13, 2008 2:05 pm

Re: Vulnerabilities in Open Office

Postby clem on Fri Nov 07, 2008 2:05 pm

Hi,

First of all, if you don't use the mentioned technologies you don't have anything to worry about. Second, we're based on Ubuntu and we've always relied on them to package security fixes. In fact, we've actually been more conservative than them since we even filter out some updates by assigning them a level 4/5 in mintUpdate.

Husse, I understand your concern and I agree with sharing as much information as possible with everyone but this should really be in the newsletter more than here on the top of the forums. I disagree about the severity of the situation, and even more so about the urgency. Let's make something clear about this "vulnerability" (and this will apply to all "vulnerabilities"):

There is no urgency in you fixing it. Just because you read some advisory doesn't mean you should go out of your repositories way and start installing software from 3rd party websites. What it means is simply that there has been a security issue in the version of OpenOffice you're currently running for the past 6 months.

Now, what should you do about it? Give it a few more days and wait for a security upgrade from the repositories.

Security is important. That doesn't mean it needs to be overrated. I remember Linus talking about that (of course he's way more eloquent than I am), it's a pity I don't have a link...

Anyway, to summarize:

If you happen to use WMF files, EMR records and the "senddoc" script on a daily basis and if all your data and best-kept secrets are there on the same machine waiting to be corrupted/stolen by malicious people who want to hurt you, then I suppose you can go to OpenOffice.org and download 2.4.2. Or you can take the opportunity to get 3.0. For all other people I would recommend to wait for Ubuntu to release an upgrade.


Clem.
Image
User avatar
clem
Level 15
Level 15
 
Posts: 5546
Joined: Wed Nov 15, 2006 8:34 am

Re: Vulnerabilities in Open Office

Postby Husse on Fri Nov 07, 2008 2:17 pm

Agreed - I could not really decide how much emphasis I should put on it
I saw some fuzz about it so an alert in the forum for a period would be good I thought
Yes we've used it for a fairly long period, but once the vulnerability has been advertised it becomes dangerous, not so much before
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19710
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Re: Vulnerabilities in Open Office

Postby Phosgene on Fri Nov 07, 2008 2:57 pm

cmost wrote:You guys do realize that you can install OO 3.0 yourselves at any time. First, use the package manager to completely remove all traces of the native Linux Mint OO. Then, simply fetch the latest DEB packages from here: http://download.openoffice.org/other.html#en-US

Unpack the tarball in your home directory; enter the resulting directory; open a gnome-terminal and issue the following command:
sudo dpkg -i *.deb

Next, go into the desktop integration folder and issue the same command. Viola...the latest Openoffice.org for Linux Mint.


Just to expand on this, make sure you use the .deb OpenOffice download link (I think it defaults to the rpm on the main download link). Which can be found:

http://openoffice.bouncer.osuosl.org/?p ... sion=3.0.0

So you shouldn't have to leave the mint forums as far as downloading and installing goes :)

I heard about this exploit a while back and still updated regardless (OOO 3.0.0 is compatible with .docx I believe, which is something to be thankful for). I thought it had been patched in an advisory I hadn't checked properly though, seeing as most vulnerabilities in open source software goes Zero day as opposed to staying private.
Image
Image
User avatar
Phosgene
Level 2
Level 2
 
Posts: 79
Joined: Thu Jul 03, 2008 6:59 pm
Location: Chernobyl

Re: Vulnerabilities in Open Office

Postby ElQuia on Fri Nov 07, 2008 6:54 pm

Husse, Clem. Ok I understand what you guys are saying, and (within my limited knowledge) I agree.

But all this does not answer the question why OO 3.0 is not yet in the repos... I´ve installed it and I´m basking in glory because of the compatibility stuff with MSO 2007. It really solved a problem for me.

If it´s the natural precaution in face of a new (and possibly buggy) (I´ve not found any till now) release, I undestand, but why not give the Mint user, more over in the case of a mail app like this, the chance to chose?

Keep on the very good work!
Regards
ElQuia
Level 2
Level 2
 
Posts: 54
Joined: Wed Oct 01, 2008 8:19 am
Location: Córdoba - Argentina

Re: Vulnerabilities in Open Office

Postby LinuxForever on Fri Nov 07, 2008 10:19 pm

Thank you clem and Husse. I'll wait for the security fixes.
LinuxForever
Level 3
Level 3
 
Posts: 136
Joined: Tue May 13, 2008 2:05 pm

Re: Vulnerabilities in Open Office

Postby febris on Sun Nov 09, 2008 5:09 am

@ElQuia: I didn't expect myself to ever write something like this, but if you want freedom of choice get LFS. Not a Debian based Distro.

OO3.0.0 wasn't default in Intrepid (despite its name) because OO's release was delayed and so there was not enough testing time to include it in a _reliable_ way. OO3.0.1 (to be released on Dec. 2nd) will be a bugfix only release and should prove to be much more stable than the current release. This release will be available on the backport repository.
febris
 

Re: Vulnerabilities in Open Office

Postby ElQuia on Sun Nov 09, 2008 7:31 am

febris:

1. I´m new to Linux so I dont know what LFS is. :? I guess that´s my problem and it´s out of the scope of this post explaining it.
Really I thought that ALL in Linux was about freedom of choice.... guess I´ll have to do some :roll: reading.
Thanks for your advice anyway. I´ll stick with Mint, and with Ubustu, till I get a RTK working OK on Mint x64.

2.
OO3.0.0 wasn't default in Intrepid (despite its name) because OO's release was delayed and so there was not enough testing time to include it in a _reliable_ way. OO3.0.1 (to be released on Dec. 2nd) will be a bugfix only release and should prove to be much more stable than the current release. This release will be available on the backport repository.

That´s a NICE explanation. If you know what I mean? :lol:
ElQuia
Level 2
Level 2
 
Posts: 54
Joined: Wed Oct 01, 2008 8:19 am
Location: Córdoba - Argentina

Re: Vulnerabilities in Open Office

Postby cmost on Sun Nov 09, 2008 11:16 am

This illustrates the pitfalls Linux faces, but fortunately there are myriad of choice available to all levels of user (e.g. from newbies to power users.) People want an easy to use distribution that just works right out of the box. On the other hand, they want cutting edge software and they want it right now, moments after it's released. With Mint and Ubuntu and other distributions that provide periodic stable releases on fixed schedules (versus the so called rolling release of other more cutting edge distros that constantly provide updates) you are forced to take what you're given in the stable repository at the time. If you want an updated version of a package, you have to wait for the next stable release, compile it yourself after installing the prerequisite dependencies, or beg and plead to get it backported from the upcoming release. The bottom line is that you have choice and that means you have the power. If you really, really want an updated package, then it is worth it, in my opinion, to take the time to learn how to compile it yourself. Or choose a more cutting edge distribution and learn to deal with the problems that doing so entails. That's all. You might say that you're a Linux newbie and you don't know how to compile software or you don't want to run a distribution that's less stable due to the fact that it lives on the bleeding edge; because you don't want any problems cropping up. Well, that choice is yours. Again, you have the power to choose. With choice comes consequence and somtimes those consequences entail waiting for an updated package.

Linux Mint, the Mint developers and the Mint community do a fantastic job of finding a happy medium between ease of use and cutting edge features. The Mint developers take a rough Ubuntu base and transform it into the elegance and feature-rich experience that is Linux Mint. The community helps each other solve problems and further enhance the software with howto's, tips and tricks, and troubleshooting.
cmost
Level 4
Level 4
 
Posts: 398
Joined: Tue Sep 18, 2007 7:36 am
Location: Newport, Kentucky

Re: Vulnerabilities in Open Office

Postby ElQuia on Sun Nov 09, 2008 1:36 pm

cmost:

I mainly agree with you.

Linux Mint, the Mint developers and the Mint community do a fantastic job of finding a happy medium between ease of use and cutting edge features. The Mint developers take a rough Ubuntu base and transform it into the elegance and feature-rich experience that is Linux Mint. The community helps each other solve problems and further enhance the software with howto's, tips and tricks, and troubleshooting.


YES. And this is one of the mail motives I´m choosing mint as my preferred distro. This and the quality of the people in the community, and their predisposition to help. Oh, ya, now and then us noobs do ask something stupid and we get an acid answer.. but ok, those are the rules of the game. And every geek once was a noob. I´m on the other side of the coin with windows, so I can empathize with you guys :lol: :lol:

Anyway, I´ll go on learning with mint, and starting to get closer to the bleeding edge. Thanks God for Acronis or Ghost :lol:, you can always f#"$ it up and roll back.

Thanks to you and the others for the answers and for just being. :D
ElQuia
Level 2
Level 2
 
Posts: 54
Joined: Wed Oct 01, 2008 8:19 am
Location: Córdoba - Argentina

Re: Vulnerabilities in Open Office

Postby linuxviolin on Sun Nov 16, 2008 5:16 pm

ElQuia wrote:Had to work a while to find all traces of all OO. Uninstallation. This is a point in which linux has to walk some miles yet. No newbie can do a real clean uninstall ... (...)

Why not work some on UNinstallation?

Uninstall? You can use deborphan in a terminal or gktorphan in GUI for remove the orphan libraries, uneeded configuration files, packages... Easy :D

cmost wrote:People want an easy to use distribution that just works right out of the box. On the other hand, they want cutting edge software and they want it right now, moments after it's released. With Mint and Ubuntu and other distributions that provide periodic stable releases on fixed schedules (versus the so called rolling release of other more cutting edge distros that constantly provide updates) you are forced to take what you're given in the stable repository at the time. If you want an updated version of a package, you have to wait for the next stable release, compile it yourself after installing the prerequisite dependencies, or beg and plead to get it backported from the upcoming release. The bottom line is that you have choice and that means you have the power. If you really, really want an updated package, then it is worth it, in my opinion, to take the time to learn how to compile it yourself. Or choose a more cutting edge distribution and learn to deal with the problems that doing so entails. That's all. You might say that you're a Linux newbie and you don't know how to compile software or you don't want to run a distribution that's less stable due to the fact that it lives on the bleeding edge; because you don't want any problems cropping up. Well, that choice is yours. Again, you have the power to choose. With choice comes consequence and somtimes those consequences entail waiting for an updated package.


+1!

I would have not say better! :D
Last edited by linuxviolin on Sun Nov 16, 2008 5:29 pm, edited 1 time in total.
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: Vulnerabilities in Open Office

Postby soup on Tue Dec 09, 2008 2:38 pm

User avatar
soup
Level 1
Level 1
 
Posts: 13
Joined: Tue Dec 09, 2008 1:54 pm

Linux Mint is funded by ads and donations.
 

Return to Releases & Announcements

Who is online

Users browsing this forum: No registered users and 3 guests