OK. Clean up is after 3.4.3. Migrating to 3.4 is difficult, but have to do. Nice to solve this problem.
Thank you 2011/11/22 NoOp <gl...@sbcglobal.net> > On 11/20/2011 07:26 AM, Volker Merschmann wrote: > > Hi, > > > > 2011/11/20 Miyoshi Omori <miyoshi.om...@gmail.com>: > >> Hello, > >> My request is about information security. > >> > >> Security issues have already been announced as, CVE-2011-2713 > >> corresponds to a comment. > >> TDF as information, but said that it had been made LibreOffice > >> 3.4.3 and 3.3.4 fixed. > >> According to NIST report > >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713, > >> 3.3.4 is classified as a vulnerable version on this security issue. > >> If it is incorrect, could you formally request a modification of > >> information as TDF. > >> As a user, it is also a serious problem. > > > > Thanks for reporting, I also think the information about 3.3.4 is > > incorrect there. > > > > Your mail has been forwarded to the security team. > > > > > > Volker > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=725668 > [(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC > sprm parser] > Status: CLOSED NOTABUG > https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14 > > <quote> > Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT > > It initially appeared that this flaw may be exploitable similar to > CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However > in > the case of this particular flaw, the junk data read is just parsed into an > internal representation of properties and the maximum harm this should > cause in > application crash (Denial Of Service). > > Timeline: > - Reported to securityt...@openoffice.org on 25-July-2011 > - Recieved a reply (with tdf-secur...@lists.documentfoundation.org > copied) on > the same date > - Release date changed with a few delays in between > - Release on 5-Oct-2011 > > > Statement: > > This issue results in an OOB read which is not exploitable for arbitrary > code > execution and can simply cause a crash. We do not consider this as a > security > issue. > </quote> > > > > -- > Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org > Problems? > http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ > Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette > List archive: http://listarchives.documentfoundation.org/www/discuss/ > All messages sent to this list will be publicly archived and cannot be > deleted > > -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
