There has been no discussion of any sort of Linux triage regarding CVE-2012-0037 that I am aware of.
It is not unusual for CVEs to sit in limbo like that. I have no idea who recorded this particular CVE. In any case, the updating of the CVE is different than when and where there is a mitigation. You know from watching the effort that produces developer snapshots that Linux is included. It is also easy to confirm that a buildbot builds for Linux every night. And the packaging of candidates for release of Apache OpenOffice 3.4.0 includes full Linux sets. See < https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Unofficial+Developer+Snapshots> and <https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+%28incubating%29+Release+Candidate> It is the case that a Linux patch has not been produced. It is my understanding that it was thought sufficient for the source code for the patch (which is ALv2 licensed) to end up being built into Linux distributions as the part of Linux vendors making full builds for their custom distributions. When it was pointed out that many installations of OpenOffice.org on Linux are downloaded and installed directly by end-users (and many Linux distributions include different OpenOffice-lineage software [for which patched releases were already available]), there was a call on ooo-dev for some Linux mavens to pitch in to pull together a patch for Linux. I think a few raised their hands. I know of no further action. To issue a patch for Windows was easy in a particular way: a single DLL was rebuilt from entirely-Apache-licensed code that now exists. Even then, extraordinary measures were required to make it available outside of the Apache requirements for an approved release. Not being a Linux developer myself, I don't know if there was a similar opportunity and I don't know if a similar exception is available. I presume so, since there was a Macintosh patch, but I am no expert. All of the current developer snapshots and potential release candidates have the fix, including for Linux. But these are not releases. I would not be surprised to learn that the developers expected an AOO 3.4 release to have been available by now and achieving that has commanded all of the attention. I am guessing, of course. - Dennis -----Original Message----- From: NoOp [mailto:[email protected]] Sent: Wednesday, April 18, 2012 17:56 To: [email protected] Subject: Re: CVE-2012-0037: OpenOffice.org data leakage vulnerability On 03/23/2012 02:17 PM, Rob Weir wrote: > On Fri, Mar 23, 2012 at 5:11 PM, Girvin R. Herr > <[email protected]> wrote: >> Dave, >> Thanks for the quick, encouraging response. >> I thought this security patch was part of an Apache effort and sanction. I >> was not aware that it was produced by a 3rd party without Apache support. > > That's a logical leap without basis. It is possible for a small group > at Apache to have produced the patch and for there to be no policy > against Linux. In fact both statements are true. > > Remember, we're not a commercial software vendor. Apache is a > non-profit, run by volunteers. If volunteers wish to make a Linux > patch, then they will. And it appears they will. We've certainly > been building and testing OpenOffice 3.4 for Linux. If there are > volunteers for Solaris, BSD, OS/2 or whatever, those patches will also > appear. The Apache license allows anyone to take this code and build > it on whatever platform they want. > >> My apologies to all. I will still keep an eye on it, but I am relieved that >> the Linux omission was not a result of Apache policy. > > Again, policy has nothing to do with this. ... Really? Then perhaps you can tell us were to find the linux patch. It's now April 18. AOO couldn't figure out a linux patch in all that time? Is there a different mirror than: <http://www.eng.lsu.edu/mirrors/apache//incubator/ooo/3.3/patches/cve-2012-0037/> with the linux patch(s)? Seems pretty sad that AOO are unable to provide a linux patch when the Windows and Mac patches were provided 21 March. Makes one wonder if Apache even plan to support linux AOO. Particularly given this statement: "Linux and other platforms should consult their distro or OS vendor for patch instructions." on <http://www.openoffice.org/security/cves/CVE-2012-0037.html>. BTW: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037> is still showing: CVE-2012-0037 (under review) "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. " Nor is there any mention of that CVE here: <https://incubator.apache.org/openofficeorg/security.html> So perhaps it really isn't something to worry about afterall. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
