Although free-standing Linux patches remain unavailable for pre-Apache OpenOffice distributions, a platform distribution containing the repair has appeared.
Here is how the Mandriva update was announced: <http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:062>. Mandriva issued patched versions of their supported distributions for OpenOffice.org, LibreOffice, and the common library that is the source of the vulnerability. There are separate Mandriva advisories for each. - Dennis -----Original Message----- From: Dennis E. Hamilton [mailto:[email protected]] Sent: Thursday, April 19, 2012 10:46 To: [email protected] Subject: RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability PS: On March 22, when notice of the CVE was made in various places (e.g., <http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086237.html>), that information not only linked to the two available pre-build patches but also included a link to this information on how to find the source code that could be adapted to patching any other related release: <http://www.openoffice.org/security/cves/CVE-2012-0037-src.txt>. This is not an end-user Linux solution, but it is an available open-source solution. -----Original Message----- From: Dennis E. Hamilton [mailto:[email protected]] <http://mail-archives.apache.org/mod_mbox/incubator-ooo-users/201204.mbox/%[email protected]%3e> Sent: Wednesday, April 18, 2012 20:10 To: [email protected] Subject: RE: CVE-2012-0037: OpenOffice.org data leakage vulnerability [ ... ] It is the case that a Linux patch has not been produced. It is my understanding that it was thought sufficient for the source code for the patch (which is ALv2 licensed) to end up being built into Linux distributions as the part of Linux vendors making full builds for their custom distributions. When it was pointed out that many installations of OpenOffice.org on Linux are downloaded and installed directly by end-users (and many Linux distributions include different OpenOffice-lineage software [for which patched releases were already available]), there was a call on ooo-dev for some Linux mavens to pitch in to pull together a patch for Linux. I think a few raised their hands. I know of no further action. [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
