OK.

Clean up is after 3.4.3.
Migrating to 3.4 is difficult, but have to do.
Nice to solve this problem.

Thank you

2011/11/22 NoOp <gl...@sbcglobal.net>

> On 11/20/2011 07:26 AM, Volker Merschmann wrote:
> > Hi,
> >
> > 2011/11/20 Miyoshi Omori <miyoshi.om...@gmail.com>:
> >> Hello,
> >> My request is  about information security.
> >>
> >> Security issues have already been announced as, CVE-2011-2713
> >> corresponds to a comment.
> >> TDF as information, but said that it had been made LibreOffice
> >> 3.4.3 and 3.3.4  fixed.
> >> According to NIST report
> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2713,
> >> 3.3.4 is classified as a vulnerable version on this security issue.
> >> If it is incorrect, could you formally request a modification of
> >> information as TDF.
> >> As a user, it is also a serious problem.
> >
> > Thanks for reporting, I also think the information about 3.3.4 is
> > incorrect there.
> >
> > Your mail has been forwarded to the security team.
> >
> >
> > Volker
> >
> >
>
> https://bugzilla.redhat.com/show_bug.cgi?id=725668
> [(CVE-2011-2713) CVE-2011-2713 openoffice.org: Out-of-bounds read in DOC
> sprm parser]
> Status:         CLOSED NOTABUG
> https://bugzilla.redhat.com/show_bug.cgi?id=725668#c14
>
> <quote>
> Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT
>
> It initially appeared that this flaw may be exploitable similar to
> CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However
> in
> the case of this particular flaw, the junk data read is just parsed into an
> internal representation of properties and the maximum harm this should
> cause in
> application crash (Denial Of Service).
>
> Timeline:
> - Reported to securityt...@openoffice.org on 25-July-2011
> - Recieved a reply (with tdf-secur...@lists.documentfoundation.org
> copied) on
> the same date
> - Release date changed with a few delays in between
> - Release on 5-Oct-2011
>
>
> Statement:
>
> This issue results in an OOB read which is not exploitable for arbitrary
> code
> execution and can simply cause a crash. We do not consider this as a
> security
> issue.
> </quote>
>
>
>
> --
> Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
> Problems?
> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
> List archive: http://listarchives.documentfoundation.org/www/discuss/
> All messages sent to this list will be publicly archived and cannot be
> deleted
>
>

-- 
Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

Reply via email to