Vulnerabilities in Open Office

[Husse]

Some vulnerabilities and a security issue have been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system, and by malicious, local users to perform certain actions with escalated privileges.
This is for WMF files, certain EMR records of EMF files and the "senddoc" script uses temporary files in an insecure manner
--------------------
The vulnerabilities are reported in 2.x versions prior to 2.4.2.
--------------------
The version in Elyssa is 2.4.1 which means all Mint versions of Open office are vulnerable
The version in the repositories is 2.4.1
Version 2.4.2 can be downloaded directly, it is no .deb file but tar.gz which means that installing is not straightforward
http://download.openoffice.org/2.4.2/index.html
Edit// I should have added that if you don't use the above mentioned there is no need to do anything and I really only recommend upgrading if you use senddoc heavily.
Source
http://secunia.com/Advisories/32419/

[ElQuia]

Huuse: why not jump to OO 3.0 ?. I don´t know about security, but I´ve been using it on Vista x64 and Ubuntu Studio X64 and its terrific... just an idea ...

[the_punisher]

yeah man thats what i wanna know why stick with 2.4? when they have launched 3.0

[cmost]

You guys do realize that you can install OO 3.0 yourselves at any time. First, use the package manager to completely remove all traces of the native Linux Mint OO. Then, simply fetch the latest DEB packages from here: http://download.openoffice.org/other.html#en-US

Unpack the tarball in your home directory; enter the resulting directory; open a gnome-terminal and issue the following command:
sudo dpkg -i *.deb

Next, go into the desktop integration folder and issue the same command. Viola...the latest Openoffice.org for Linux Mint.

[ElQuia]

Just did that. On Mint x64. Works OK!!!, Gnome integration and all. Now I just have to download the dictionaries and some templates.

Had to work a while to find all traces of all OO. Uninstallation. This is a point in which linux has to walk some miles yet. No newbie can do a real clean uninstall ...

Idea: Mint is ahead of other distros in installation ease. Why not work some on UNinstallation?

BUT: what I meant in my original post is why keep up with 2.41/42 in the repos or mint install and not migrate NOW to 3.0????

[LinuxForever]

This is for WMF files, certain EMR records of EMF files and the "senddoc" script uses temporary files in an insecure manner

I never use any WMF files, certain EMR records of EMF files and the "senddoc" script. Do I still have anything to worry about? Should I upgrade to OO 3.0 anyway? Thanks for any help.

[clem]

Hi,

First of all, if you don't use the mentioned technologies you don't have anything to worry about. Second, we're based on Ubuntu and we've always relied on them to package security fixes. In fact, we've actually been more conservative than them since we even filter out some updates by assigning them a level 4/5 in mintUpdate.

Husse, I understand your concern and I agree with sharing as much information as possible with everyone but this should really be in the newsletter more than here on the top of the forums. I disagree about the severity of the situation, and even more so about the urgency. Let's make something clear about this "vulnerability" (and this will apply to all "vulnerabilities"):

There is no urgency in you fixing it. Just because you read some advisory doesn't mean you should go out of your repositories way and start installing software from 3rd party websites. What it means is simply that there has been a security issue in the version of OpenOffice you're currently running for the past 6 months.

Now, what should you do about it? Give it a few more days and wait for a security upgrade from the repositories.

Security is important. That doesn't mean it needs to be overrated. I remember Linus talking about that (of course he's way more eloquent than I am), it's a pity I don't have a link...

Anyway, to summarize:

If you happen to use WMF files, EMR records and the "senddoc" script on a daily basis and if all your data and best-kept secrets are there on the same machine waiting to be corrupted/stolen by malicious people who want to hurt you, then I suppose you can go to OpenOffice.org and download 2.4.2. Or you can take the opportunity to get 3.0. For all other people I would recommend to wait for Ubuntu to release an upgrade.

Clem.

[Husse]

Agreed - I could not really decide how much emphasis I should put on it
I saw some fuzz about it so an alert in the forum for a period would be good I thought
Yes we've used it for a fairly long period, but once the vulnerability has been advertised it becomes dangerous, not so much before

[ElQuia]

Husse, Clem. Ok I understand what you guys are saying, and (within my limited knowledge) I agree.

But all this does not answer the question why OO 3.0 is not yet in the repos... I´ve installed it and I´m basking in glory because of the compatibility stuff with MSO 2007. It really solved a problem for me.

If it´s the natural precaution in face of a new (and possibly buggy) (I´ve not found any till now) release, I undestand, but why not give the Mint user, more over in the case of a mail app like this, the chance to chose?

Keep on the very good work!
Regards

[LinuxForever]

Thank you clem and Husse. I'll wait for the security fixes.

[febris]

@ElQuia: I didn't expect myself to ever write something like this, but if you want freedom of choice get LFS. Not a Debian based Distro.

OO3.0.0 wasn't default in Intrepid (despite its name) because OO's release was delayed and so there was not enough testing time to include it in a _reliable_ way. OO3.0.1 (to be released on Dec. 2nd) will be a bugfix only release and should prove to be much more stable than the current release. This release will be available on the backport repository.

[ElQuia]

febris:

1. I´m new to Linux so I dont know what LFS is. I guess that´s my problem and it´s out of the scope of this post explaining it.
Really I thought that ALL in Linux was about freedom of choice.... guess I´ll have to do some reading.
Thanks for your advice anyway. I´ll stick with Mint, and with Ubustu, till I get a RTK working OK on Mint x64.

2.

OO3.0.0 wasn't default in Intrepid (despite its name) because OO's release was delayed and so there was not enough testing time to include it in a _reliable_ way. OO3.0.1 (to be released on Dec. 2nd) will be a bugfix only release and should prove to be much more stable than the current release. This release will be available on the backport repository.

That´s a NICE explanation. If you know what I mean?

[cmost]

This illustrates the pitfalls Linux faces, but fortunately there are myriad of choice available to all levels of user (e.g. from newbies to power users.) People want an easy to use distribution that just works right out of the box. On the other hand, they want cutting edge software and they want it right now, moments after it's released. With Mint and Ubuntu and other distributions that provide periodic stable releases on fixed schedules (versus the so called rolling release of other more cutting edge distros that constantly provide updates) you are forced to take what you're given in the stable repository at the time. If you want an updated version of a package, you have to wait for the next stable release, compile it yourself after installing the prerequisite dependencies, or beg and plead to get it backported from the upcoming release. The bottom line is that you have choice and that means you have the power. If you really, really want an updated package, then it is worth it, in my opinion, to take the time to learn how to compile it yourself. Or choose a more cutting edge distribution and learn to deal with the problems that doing so entails. That's all. You might say that you're a Linux newbie and you don't know how to compile software or you don't want to run a distribution that's less stable due to the fact that it lives on the bleeding edge; because you don't want any problems cropping up. Well, that choice is yours. Again, you have the power to choose. With choice comes consequence and somtimes those consequences entail waiting for an updated package.

Linux Mint, the Mint developers and the Mint community do a fantastic job of finding a happy medium between ease of use and cutting edge features. The Mint developers take a rough Ubuntu base and transform it into the elegance and feature-rich experience that is Linux Mint. The community helps each other solve problems and further enhance the software with howto's, tips and tricks, and troubleshooting.

[ElQuia]

cmost:

I mainly agree with you.

Linux Mint, the Mint developers and the Mint community do a fantastic job of finding a happy medium between ease of use and cutting edge features. The Mint developers take a rough Ubuntu base and transform it into the elegance and feature-rich experience that is Linux Mint. The community helps each other solve problems and further enhance the software with howto's, tips and tricks, and troubleshooting.

YES. And this is one of the mail motives I´m choosing mint as my preferred distro. This and the quality of the people in the community, and their predisposition to help. Oh, ya, now and then us noobs do ask something stupid and we get an acid answer.. but ok, those are the rules of the game. And every geek once was a noob. I´m on the other side of the coin with windows, so I can empathize with you guys

Anyway, I´ll go on learning with mint, and starting to get closer to the bleeding edge. Thanks God for Acronis or Ghost , you can always f#"$ it up and roll back.

Thanks to you and the others for the answers and for just being.

[linuxviolin]

Had to work a while to find all traces of all OO. Uninstallation. This is a point in which linux has to walk some miles yet. No newbie can do a real clean uninstall ... (...)

Why not work some on UNinstallation?

Uninstall? You can use deborphan in a terminal or gktorphan in GUI for remove the orphan libraries, uneeded configuration files, packages... Easy

People want an easy to use distribution that just works right out of the box. On the other hand, they want cutting edge software and they want it right now, moments after it's released. With Mint and Ubuntu and other distributions that provide periodic stable releases on fixed schedules (versus the so called rolling release of other more cutting edge distros that constantly provide updates) you are forced to take what you're given in the stable repository at the time. If you want an updated version of a package, you have to wait for the next stable release, compile it yourself after installing the prerequisite dependencies, or beg and plead to get it backported from the upcoming release. The bottom line is that you have choice and that means you have the power. If you really, really want an updated package, then it is worth it, in my opinion, to take the time to learn how to compile it yourself. Or choose a more cutting edge distribution and learn to deal with the problems that doing so entails. That's all. You might say that you're a Linux newbie and you don't know how to compile software or you don't want to run a distribution that's less stable due to the fact that it lives on the bleeding edge; because you don't want any problems cropping up. Well, that choice is yours. Again, you have the power to choose. With choice comes consequence and somtimes those consequences entail waiting for an updated package.

+1!

I would have not say better!

[soup]

Howto: Install OpenOffice 3 in Felicia

http://www.linuxmint.com/forum/viewtopi ... ce#p116214