Thank you Dave for all your work and co-ordination with security, the
reporter, and communications.
Best regards,
Carl
On 4/15/21 4:06 PM, Dave Fisher wrote:
Hi -
Here is some background on the issue which has apparently existed since about
OpenOffice.org 2.0 in 2005 or so.
See https://bz.apache.org/ooo/show_bug.cgi?id=49802
Some confusion existed between types of hyperlinks and rather than filtering
they were all allowed to proceed.
Arrigo restored the code and Carl added some protocol checks:
https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b
This current code will cause a warning for any http(s) hyperlinks that do not
have an extension in the “whitelist.”
Some think that we should blanket allow all http(s) hyperlinks so I’ve created
a PR for that:
https://github.com/apache/openoffice/pull/127
Topics for 4.2.0 include:
(1) A better dialog box for the hyperlink security warning
(2) Implement an option to allow users to choose from 3 levels of hyperlink
security that is in the code, but not the settings. The levels in the code are
essentially:
- No Security
- What we have now
- And only help links
All The Best,
Dave
On Apr 15, 2021, at 12:34 PM, Dave Fisher <w...@apache.org> wrote:
Hi -
We are working on releasing 4.1.10 soon do to this security report [1] which
was announced today.
I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel
Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias
Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
All The Best,
Dave
[1] https://positive.security/blog/url-open-rce
On Apr 15, 2021, at 12:18 PM, Dave Fisher <w...@apache.org> wrote:
Severity: moderate
Description:
The project received a report that all versions of Apache OpenOffice through
4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006
and the issue is also in 4.1.9. If the link is specifically crafted this could
lead to untrusted code execution. It is always best practice to be careful
opening documents from unknown and unverified sources. The mitigation in Apache
OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed
giving the user the option of continuing to open the hyperlink.
Credit:
Fabian Bräunlein and Lukas Euler of Positive Security
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
