Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Sun Microsystems Software Linux

Security Patch for OpenOffice 19

An anonymous reader writes "Linuxlookup.com is reporting all users of OpenOffice.org 1.1.4 are urged to download and install this security patch. It addresses a problem noted in a recent advisory. That advisory states that there is a security risk in all circulating releases of OpenOffice.org. This patch fixes the problem in 1.1.4 but not in earlier or subsequent releases."
This discussion has been archived. No new comments can be posted.

Security Patch for OpenOffice

Comments Filter:
  • by bcmm ( 768152 ) on Friday April 15, 2005 @11:53AM (#12245714)
    That you should use secure software like MS Word.

    Oh, wait...
  • but well, someone might get to you through it.

    "II.DETAILS:
    ----------
    There is a vulnerability in StgCompObjStream::Load() function,
    When reading DOC document information of format,memory is allocated by DOC provide
    length.
    DOC provided a 32 bits integer,and will use the low 16 bits of this number to allocate
    memory,
    but when reading doc information,still use the 32 bits number as length,this maybe
    cause heap
    overflow, and when free happened ,will cause write pointer,maybe cause arbitrary code
    excute ."

    No ide
  • this hole was found like ... oh yeah only like a day ago. well that's pretty good i guess.
    • Re:ITS ABOUT TIME (Score:3, Insightful)

      by NanoGator ( 522640 )
      "this hole was found like ... oh yeah only like a day ago. well that's pretty good i guess."

      Heh. 'Good' is relative to who you like or dislike. If this story was about Office, it would be 'bad' that the problem existed at all.

      • If this story was about Office, it would be 'bad' that the problem existed at all.

        Yes, it would be bad.

        But people are entitled to gripe more loudly about MS Office because they have paid more money for it than for OpenOffice.

        When a customer discovers a manufacturing defect in the product they bought from MS there isn't a flurry of refunds forthcoming. Instead, dissatisfied customers might get a free downloadable patch in a while, essentially the same level of redress that OpenOffice.org users got for t

        • "But people are entitled to gripe more loudly about MS Office because they have paid more money for it than for OpenOffice."

          Somehow I doubt most of the griping here comes from legitimate Office customers. Afterall, I thought everybody ran Linux here. /sarcasm
    • this hole was found like ... oh yeah only like a day ago.

      No, it was found 3 days ago [securityfocus.com].. Gentoo had the patch and a new ebuild that day.
      • Ah... I was wondering why I had to download and compile OOo twice in two days.

        Awesome, I had the patch before this hit slashdot the first time round.
        • I was wondering why I had to download and compile OOo twice

          You didn't. openoffice-bin-1.1.4-r1 also contained the fix. No need to compile at all.
  • The advisory [securityfocus.com] on SecurityFocus.
  • *openoffice-1.1.4-r1 (12 Apr 2005)

    12 Apr 2005; Andreas Proschofsky <suka@gentoo.org>
    +files/1.1.4/crash-objstream.diff, +openoffice-1.1.4-r1.ebuild:
    Revision bump for security fix, see bug #88863
    Has been in portage (x86 at least) for a few days now, included with 1.1.4-r1.
    • Which just goes to show you that distributing software through package managers instead spending $300 on a CD every two years leads to better security in practice. Any distro that uses a package manager to automatically check for software upgrades would be a good leg up in preventing outdated software from being exploited.
  • I'm on the StarOffice 8 beta program ... anyone know if this version is vulnerable on Linux? I assume so, since it's based on an OOo 2.0 beta build.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...