openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J├╝rgen Schmidt <jogischm...@gmail.com>
Subject Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability
Date Thu, 30 Apr 2015 06:48:33 GMT
On 29/04/15 21:53, Marcus wrote:
> Am 04/29/2015 05:39 PM, schrieb jan i:
>> On 29 April 2015 at 15:07, Simon Phipps<simon@webmink.com>  wrote:
>>
>>> On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti<pescetti@apache.org>
>>> wrote:
>>>
>>>> Simon Phipps wrote:
>>>>
>>>>> Given this problem is not fixed in the current download, should the
>>>>> project
>>>>> suspend downloads until it can be addressed?
>>>>>
>>>>
>>>> This looks like a very extreme measure to take. The severity of the
>>>> issue
>>>> would not justify it.
>>>
>>>
>>> Can you explain that please? The CVE says "Severity: Important" and the
>>> effects are "a denial of service or possibly execution of arbitrary
>>> code by
>>> preparing specially crafted documents in the HWP document format."
>>>
>>> The fact we are unaware of current exploits does not mitigate the risk
>>> arising from distributing the software, and the rarity of the file
>>> format
>>> does not reduce the likelihood of it being used in an exploit. Maybe
>>> I am
>>> missing some of the context from the private security list?
>>>
>> It seems to be an extremely seldom used feature, that makes the exploit
>> unlikely.
>>
>> I am with Andrea, stopping downloads would not be right in this case.
> 
> +1 I also don't see this as a reason to stop to offer downloads.

stopping the downloads is completely exaggerated. I personally never
have seen such a file besides test documents in real life. We have a
simple and effective work around in place. Even Korean community members
on our l10n list have mentioned that the format is no longer relevant.

And of course we have analyzed the exploit and have decided to either
fix it for the next release or as currently discussed to drop it
completely to get away a further obsolete format.

Why I don't wonder from whom this idea is coming ;-) And Simon to be
serious we take security issues very serious. So for every one who want
to write something about security in AOO, security issues were and still
are a serious and important topic for AOO and we analyze and decide what
to do for every single security issue.

Juergen

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message