On Sun, Apr 29, 2012 at 4:14 PM, Ariel Constenla-Haile <[email protected]> wrote: > Hi Gary, > > On Sun, Apr 29, 2012 at 12:24:11PM -0700, NoOp wrote: >> On 04/26/2012 01:36 PM, NoOp wrote: >> > On 04/24/2012 03:50 AM, Ariel Constenla-Haile wrote: >> ... >> >> >> >> The library is inside the following package: >> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb >> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb >> > >> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32 >> > bit and 64 bit) :-) Thanks. >> ... >> >> No crashes etc. Is there a way that I can test to see if this >> modification actually is working? > > A general test, like the one you performed, tests that the library can > be loaded (no missing symbols) and its functionality executed (I could > even provide some OOo basic code that directly uses the UNO component in > that library). > > There is a document to test the actual vulnerability, but it is only > accesible to members of the AOO security mailing list (due to the > obvious reasons). I quote a mail from the development mailing list: > > >> For #3, I'm sure many of us can help. We have a proof of concept file >> that shows the exploit that we can test against, but we need to take >> extreme measures to ensure that filed is not publicly disclosed. > > I tested on > > Fedora 16 - 64 bits > Ubuntu 11.10 (Oneiric Ocelot) - 64 bits > Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits > > The problem is that I couldn't reproduce the issue: OOo 3.3 simply > *crashes* when trying to open the bug document lin.odt (the report says > it should perform some malicious actions). > > The good news is that replacing the old library with the patched library > solves the crash, and does not reproduce the vulnerability issue. > > I am not sure if anyone has been able to reproduce the issue on Linux > with OOo 3.3. May be we can give you the file to test it, it would be > nice to have someone else testing it. If someone knows we are able to do > so, please let us know. >
Absolutely not. The test exploit file must *not* be shared. -Rob > I ping Rob, here on CC. > > > Regards > -- > Ariel Constenla-Haile > La Plata, Argentina --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
