Hi Rob, * On Thu, Mar 22, 2012 at 05:47:50PM -0400, Rob Weir wrote: > We need a few things: > > 1) Someone to build the patch > (http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt) > > 2) Someone to create install instructions for the patch > > 3) One or more people to test the patch > > 4) Someone to update the website and send out an announcement > > > #1 is actually a lot easier than it sounds. If you can build AOO 3.4 > under Linux then you probably are already building the patched file. > We might even just extract the relevant library from a dev snapshot > install. But we need to consider what variations we need, 32 versus > 64, etc.
Indeed, you only have to take the library from the RC1 and copy it to the 3.3 installation directory, adapting the name because AOO has removed the library postfix (lx for 64 bits, li for 32 bits). > For #2 I have the source for the existing install instructions. I'm > happy to share with anyone who wants to update the instructions and > screenshots for Linux users. Screenshots for Linux don't make sense, it's simply running some commands from a terminal: http://s.apache.org/4QC Please send me the source for the existing install instructions, I'll update the instructions for Linux. > For #3, I'm sure many of us can help. We have a proof of concept file > that shows the exploit that we can test against, but we need to take > extreme measures to ensure that filed is not publicly disclosed. I tested on Fedora 16 - 64 bits Ubuntu 11.10 (Oneiric Ocelot) - 64 bits Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits The problem is that I couldn't reproduce the issue: OOo 3.3 simply *crashes* when trying to open the bug document lin.odt The good news is that replacing the old library with the patched library solves the crash, and does not reproduce the vulnerability issue. Was anyone able to reproduce the issue on Linux with OOo 3.3? > For #4, I am happy to help with the digital signature and staging to > the mirrors, etc. Updating the webpage is really easy, using the > Apache CMS. I've uploaded a version to test: http://people.apache.org/~arielch/CVE-2012-0037.zip http://people.apache.org/~arielch/CVE-2012-0037.zip.asc Gary did some tests (not with the bug document lin.odt), I guess he just tested that "it worked", that is, no undefined symbol references when loading the library. Regards -- Ariel Constenla-Haile La Plata, Argentina
pgpcB9HlNCyJp.pgp
Description: PGP signature
