security warning AOO

classic Classic list List threaded Threaded
3 messages Options
rosttyo rosttyo
Reply | Threaded
Open this post in threaded view
|

security warning AOO

Today, following mail was distributed from [hidden email].
Can LibO users face the same threat?

QUOTE

CVE-2015-1774

OpenOffice HWP Filter Remote Code Execution and Denial of Service
Vulnerability

A vulnerability in OpenOffice's HWP filter allows attackers to cause a
denial of service (memory corruption and application crash) or possibly
execution of arbitrary code by preparing specially crafted documents in
the HWP document format.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

    All Apache OpenOffice versions 4.1.1 and older are affected.

Mitigation:

Apache OpenOffice users are advised to remove the problematic library in
the "program" folder of their OpenOffice installation. On Windows it is
named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
named "libhwp.so". Alternatively the library can be renamed to anything
else e.g. "hwp_renamed.dll".
This mitigation will drop AOO's support for documents created in "Hangul
Word Processor" versions from 1997 or older. Users of such documents are
advised to convert their documents to other document formats such as
OpenDocument before doing so.

Apache OpenOffice aims to fix the vulnerability in version 4.1.2.

Credits:

Thanks to an anonymous contributor working with VeriSign iDefense Labs.

UNQUOTE



--
To unsubscribe e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Italo Vignoli-6 Italo Vignoli-6
Reply | Threaded
Open this post in threaded view
|

Re: security warning AOO

LibreOffice 4.3.7, released yesterday, and LibreOffice 4.4.2, available
since early April, include a patch for the issue, and therefore offer a
real solution to the problem (and not a workaround).

On 26/04/15 11:31, rost52 wrote:

> Today, following mail was distributed from [hidden email].
> Can LibO users face the same threat?
>
> QUOTE
>
> CVE-2015-1774
>
> OpenOffice HWP Filter Remote Code Execution and Denial of Service
> Vulnerability
>
> A vulnerability in OpenOffice's HWP filter allows attackers to cause a
> denial of service (memory corruption and application crash) or possibly
> execution of arbitrary code by preparing specially crafted documents in
> the HWP document format.
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
>     All Apache OpenOffice versions 4.1.1 and older are affected.
>
> Mitigation:
>
> Apache OpenOffice users are advised to remove the problematic library in
> the "program" folder of their OpenOffice installation. On Windows it is
> named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
> named "libhwp.so". Alternatively the library can be renamed to anything
> else e.g. "hwp_renamed.dll".
> This mitigation will drop AOO's support for documents created in "Hangul
> Word Processor" versions from 1997 or older. Users of such documents are
> advised to convert their documents to other document formats such as
> OpenDocument before doing so.
>
> Apache OpenOffice aims to fix the vulnerability in version 4.1.2.



--
Italo Vignoli - Marketing & PR
mobile +39.348.5653829 - email / jabber [hidden email]
hangout / jabber [hidden email] - skype italovignoli
GPG Key ID - 0xAAB8D5C0
DB75 1534 3FD0 EA5F 56B5 FDA6 DE82 934C AAB8 D5C0

--
To unsubscribe e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

mhenriday mhenriday
Reply | Threaded
Open this post in threaded view
|

Re: security warning AOO

2015-04-26 11:47 GMT+02:00 Italo Vignoli <[hidden email]>:

> LibreOffice 4.3.7, released yesterday, and LibreOffice 4.4.2, available
> since early April, include a patch for the issue, and therefore offer a
> real solution to the problem (and not a workaround).
>
> On 26/04/15 11:31, rost52 wrote:
> > Today, following mail was distributed from
> [hidden email].
> > Can LibO users face the same threat?
> >
> > QUOTE
> >
> > CVE-2015-1774
> >
> > OpenOffice HWP Filter Remote Code Execution and Denial of Service
> > Vulnerability
> >
> > A vulnerability in OpenOffice's HWP filter allows attackers to cause a
> > denial of service (memory corruption and application crash) or possibly
> > execution of arbitrary code by preparing specially crafted documents in
> > the HWP document format.
> >
> > Severity: Important
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> >
> >     All Apache OpenOffice versions 4.1.1 and older are affected.
> >
> > Mitigation:
> >
> > Apache OpenOffice users are advised to remove the problematic library in
> > the "program" folder of their OpenOffice installation. On Windows it is
> > named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
> > named "libhwp.so". Alternatively the library can be renamed to anything
> > else e.g. "hwp_renamed.dll".
> > This mitigation will drop AOO's support for documents created in "Hangul
> > Word Processor" versions from 1997 or older. Users of such documents are
> > advised to convert their documents to other document formats such as
> > OpenDocument before doing so.
> >
> > Apache OpenOffice aims to fix the vulnerability in version 4.1.2.
>
>
>
> --
> Italo Vignoli - Marketing & PR
> mobile +39.348.5653829 - email / jabber [hidden email]
> hangout / jabber [hidden email] - skype italovignoli
> GPG Key ID - 0xAAB8D5C0
> DB75 1534 3FD0 EA5F 56B5 FDA6 DE82 934C AAB8 D5C0


​Thanks, Italo - good to know that the LibO devs were on to this one !... [?]

Henri

--
To unsubscribe e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted