Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Patch for OpenOffice

Posted by Zonk on from the keep-the-uninvited-guests-out dept.

An anonymous reader writes "Linuxlookup.com is reporting all users of OpenOffice.org 1.1.4 are urged to download and install this security patch. It addresses a problem noted in a recent advisory. That advisory states that there is a security risk in all circulating releases of OpenOffice.org. This patch fixes the problem in 1.1.4 but not in earlier or subsequent releases."

19 comments

  1. This just goes to show... by bcmm · · Score: 2, Funny

    That you should use secure software like MS Word.

    Oh, wait...

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
    1. Re:This just goes to show... by youknowmewell · · Score: 0, Troll

      In Korea, only old people use MS Word!
      In Soviet Russia, old people you YOU!

      1. Get use by old people.

      2. ???

      3. Profit!

  2. not _that_ serious.. by gl4ss · · Score: 1

    but well, someone might get to you through it.

    "II.DETAILS:
    ----------
    There is a vulnerability in StgCompObjStream::Load() function,
    When reading DOC document information of format,memory is allocated by DOC provide
    length.
    DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate
    memory,
    but when reading doc information,still use the 32 bits number as length,this maybe
    cause heap
    overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code
    excute ."

    No idea if it's actually doable to execute code through it on 'all' platforms oo runs on.

    --
    world was created 5 seconds before this post as it is.
  3. ITS ABOUT TIME by Naikrovek · · Score: 1

    this hole was found like ... oh yeah only like a day ago. well that's pretty good i guess.

    1. Re:ITS ABOUT TIME by NanoGator · · Score: 2, Insightful

      "this hole was found like ... oh yeah only like a day ago. well that's pretty good i guess."

      Heh. 'Good' is relative to who you like or dislike. If this story was about Office, it would be 'bad' that the problem existed at all.

      --
      "Derp de derp."
    2. Re:ITS ABOUT TIME by Curtman · · Score: 1

      this hole was found like ... oh yeah only like a day ago.

      No, it was found 3 days ago.. Gentoo had the patch and a new ebuild that day.

    3. Re:ITS ABOUT TIME by cs02rm0 · · Score: 1

      Ah... I was wondering why I had to download and compile OOo twice in two days.

      Awesome, I had the patch before this hit slashdot the first time round.

    4. Re:ITS ABOUT TIME by 4of12 · · Score: 1

      If this story was about Office, it would be 'bad' that the problem existed at all.

      Yes, it would be bad.

      But people are entitled to gripe more loudly about MS Office because they have paid more money for it than for OpenOffice.

      When a customer discovers a manufacturing defect in the product they bought from MS there isn't a flurry of refunds forthcoming. Instead, dissatisfied customers might get a free downloadable patch in a while, essentially the same level of redress that OpenOffice.org users got for their defective product.

      When you pay more, you expect more.

      --
      "Provided by the management for your protection."
    5. Re:ITS ABOUT TIME by Curtman · · Score: 1

      I was wondering why I had to download and compile OOo twice

      You didn't. openoffice-bin-1.1.4-r1 also contained the fix. No need to compile at all.

    6. Re:ITS ABOUT TIME by NanoGator · · Score: 1

      "But people are entitled to gripe more loudly about MS Office because they have paid more money for it than for OpenOffice."

      Somehow I doubt most of the griping here comes from legitimate Office customers. Afterall, I thought everybody ran Linux here. /sarcasm

      --
      "Derp de derp."
  4. Patch by Anonymous Coward · · Score: 0

    Linuxlookup.com was kinda slow for me, grab the patch here

    -- gid

  5. Affects people loading malicious MS Word files. by ianezz · · Score: 1

    The advisory on SecurityFocus.

  6. In portage since the 12th by Mad+Merlin · · Score: 1
    *openoffice-1.1.4-r1 (12 Apr 2005)

    12 Apr 2005; Andreas Proschofsky <suka@gentoo.org>
    +files/1.1.4/crash-objstream.diff, +openoffice-1.1.4-r1.ebuild:
    Revision bump for security fix, see bug #88863
    Has been in portage (x86 at least) for a few days now, included with 1.1.4-r1.
    --
    Game! - Where the stick is mightier than the sword!
    1. Re:In portage since the 12th by Stevyn · · Score: 1

      Which just goes to show you that distributing software through package managers instead spending $300 on a CD every two years leads to better security in practice. Any distro that uses a package manager to automatically check for software upgrades would be a good leg up in preventing outdated software from being exploited.

  7. Great by Svippy · · Score: 0

    At least things get updated faster with Linux than Microsoft and it's evil software applications.

    Oooh, ain't they evil!

    --
    Clicked pie.
  8. How about StarOffice? by Jim+Hall · · Score: 1

    I'm on the StarOffice 8 beta program ... anyone know if this version is vulnerable on Linux? I assume so, since it's based on an OOo 2.0 beta build.

  9. This just in! by Anonymous Coward · · Score: 0

    A patch for OpenOffice.org, 1.1.4, the latest release, is now available. The patch does not work on any earlier or any newer versions.

    Disclaimer: Yes, I know there's the 2.0 betas, but then how is this statement funny?

  10. Can someone explain, please... by Jane+Hackworth · · Score: 0, Offtopic

    I think I understand the general concept of a buffer overflow, but how does would the malicious input get into my OpenOffice in the first place? I'm using 1.1.0 and I don't want to upgrade to 1.1.4 just so I can patch it. *sulk*