openoffice-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From orc...@apache.org
Subject svn commit: r1764183 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html
Date Tue, 11 Oct 2016 00:26:02 GMT
Author: orcmid
Date: Tue Oct 11 00:26:02 2016
New Revision: 1764183

URL: http://svn.apache.org/viewvc?rev=1764183&view=rev
Log:
Stage CVE-2015-1513 web advisory Version 3 for 2016-10-11 (or later) publishing

Modified:
    openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html

Modified: openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html?rev=1764183&r1=1764182&r2=1764183&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html (original)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2016-1513.html Tue Oct 11 00:26:02
2016
@@ -6,11 +6,11 @@
     </head>
 
     <body>
-    <!-- These were previously defined as XHTML pages. The current wrapping for the site
-         introduces HTML5 headers and formats. This version is modified to match the
-         wrapping that is done as part of publishing this page and not rely on any
-         particular styling beyond <p>.
-    -->
+    <!-- These were previously defined as XHTML pages. The current wrapping
+         for the site introduces HTML5 headers and formats. This version is
+         modified to match the wrapping that is done as part of publishing
+         this page and not rely on any particular styling beyond <p>.
+         -->
 
         <p>
           <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1513">
@@ -27,10 +27,11 @@
         </p>
 
         <p>
-          <strong>Version 2.0</strong>
+          <strong>Version 3.0</strong>
         </p>
 
         <p>
+          Updated October 11, 2016<br />
           Updated August 30, 2016<br />
           Announced July 21, 2016
         </p>
@@ -40,12 +41,22 @@
         </p>
 
         <p>
-          An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain
invalid presentation elements that lead to memory corruption when the document is loaded in
Apache OpenOffice Impress. The defect may cause the document to appear as corrupted and OpenOffice
may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of
the defect can allow an attacker to cause denial of service (memory corruption and application
crash) and possible execution of arbitrary code.
-        </p>
-        <p>Impress cannot be used to directly produce documents having the CVE-2016-1513-related
defect.  Impress-authored .ODF and .ODT
-          documents of an user's own that exhibit any of these characteristics are not the
result of an exploit.  They may be consequences
+          An OpenDocument Presentation .ODP or Presentation Template .OTP file
+          can contain invalid presentation elements that lead to memory
+          corruption when the document is loaded in Apache OpenOffice Impress.
+          The defect may cause the document to appear as corrupted and
+          OpenOffice may crash in a recovery-stuck mode requiring manual
+          intervention. A crafted exploitation of the defect can allow an
+          attacker to cause denial of service (memory corruption and
+          application crash) and possible execution of arbitrary code.
+        </p>
+        <p>Impress cannot be used to directly produce documents having the
+           CVE-2016-1513-related defect.  Impress-authored .ODF and .ODT
+          documents of an user's own that exhibit any of these characteristics
+          are not the result of an exploit.  They may be consequences
           of a separate Impress defect that should be reported.
-
+        </p>
+        
         <p>
           <strong>Severity: Medium</strong>
         </p>
@@ -72,10 +83,16 @@
         </p>
 
         <p>
-          Install the 4.1.2-patch1 Hotfix available at 
+          Install Apache OpenOffice 4.1.3 for the latest maintenance and
+          cumulative security fixes.  Use the Apache OpenOffice 
+          <a href="https://www.openoffice.org/download/">download page</a>
+          <br /><br />
+          Users of Apache OpenOffice 4.1.2 that cannot update to 4.1.3
+          can Install the 4.1.2-patch1 Hotfix available at 
           <a href="http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html">http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html</a>.
           <br /><br />
-			A source-code patch that blocks the vulnerability has been developed and is available
for developers at <a href="https://bz.apache.org/ooo/show_bug.cgi?id=127045">issue 127045</a>
with SVN revision <a href="http://svn.apache.org/viewvc?view=revision&revision=1754535">1754535</a>.
+            A source-code patch that blocks the vulnerability has been developed and is available
for developers at <a href="https://bz.apache.org/ooo/show_bug.cgi?id=127045">issue 127045</a>
with SVN revision 
+            <a href="http://svn.apache.org/viewvc?view=revision&revision=1754535">1754535</a>.
           <br /><br />
           Antivirus products can detect documents attempting to exploit this vulnerability
by employing Snort Signature IDs 35828-35829.
         </p>
@@ -85,15 +102,22 @@
         </p>
 
         <p>
-          If you are unable to apply the Hotfix to Apache OpenOffice 4.1.2 (after updating
to that version, if necessary), there are other
-          precautions that can be taken.  These precautions are applicable in avoiding other
possible exploits as well.
-          <br /><br />
-          For defects such as those involved in CVE-2016-1513, documents can be crafted to
cause memory corruption enough to crash Apache OpenOffice. 
-          Beyond that, however, the conditions under which arbitrary code can be executed
are complex and difficult to achieve in an undetected manner.
+          If you are unable to update, there are other precautions that
+          can be taken.  These precausions are recommended for all users
+          of all versions of Apache OpenOffice, including the latest
+          available.
           <br /><br />
-          An important layer of defense for all such cases is to avoid operating Apache OpenOffice
(and any other personal productivity programs) under a computer account that has administrative
privileges of any kind. While installation of Apache OpenOffice requires elevated privileges
and user permission on platforms such as Microsoft Windows, operation of the software does
not.
+          Avoid operating Apache OpenOffice (and any other personal
+          productivity programs) under a computer account that has 
+          administrative privileges of any kind. While installation of 
+          Apache OpenOffice requires elevated privileges and user permission 
+          on platforms such as Microsoft Windows, operation of the software 
+          does not.
           <br /><br />
-          Keeping antivirus/antimalware software current is also important. This will serve
to identify and distinguish suspicious documents that involve the exploit, avoiding confusion
with documents that are damaged and/or fail for other reasons.
+          Keeping antivirus/antimalware software current is also important. 
+          This will serve to identify and distinguish suspicious documents 
+          that involve the exploit, avoiding confusion with documents that 
+          are damaged and/or fail for other reasons.
         </p>
         
         <p>
@@ -101,11 +125,19 @@
         </p>
         
         <p>
-          For additional information and assistance, consult the <a href="https://forum.openoffice.org/">Apache
OpenOffice Community Forums</a>, or make requests to the <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>
public mailing list. Defects not involving suspected security vulnerabilities can be reported
with a normal issue via <a href="http://www.openoffice.org/qa/issue_handling/pre_submission.html">Bugzilla</a>.
+          For additional information and assistance, consult the 
+          <a href="https://forum.openoffice.org/">Apache OpenOffice 
+          Community Forums</a>, or make requests to the 
+          <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a>

+          public mailing list. Defects not involving suspected security 
+          vulnerabilities can be reported with a normal issue via 
+          <a href="http://www.openoffice.org/qa/issue_handling/pre_submission.html">Bugzilla</a>.
         </p>
 
         <p>
-          The latest information on Apache OpenOffice security bulletins can be found at
the <a href="http://www.openoffice.org/security/bulletin.html">
+          The latest information on Apache OpenOffice security bulletins can 
+          be found at the 
+          <a href="http://www.openoffice.org/security/bulletin.html">
           Bulletin Archive page</a>.
         </p>
 



Mime
View raw message