On Sun, Apr 29, 2012 at 5:09 PM, Ariel Constenla-Haile <[email protected]> wrote: > On Sun, Apr 29, 2012 at 04:42:22PM -0400, Rob Weir wrote: >> >> >> The library is inside the following package: >> >> >> 64 bits: ooobasis3.4-core05_3.4.0-1_amd64.deb >> >> >> 32 bits: ooobasis3.4-core05_3.4.0-1_i386.deb >> >> > >> >> > Excellent! Got them both and so far nothing has blown up in 3.3.0 (32 >> >> > bit and 64 bit) :-) Thanks. >> >> ... >> >> >> >> No crashes etc. Is there a way that I can test to see if this >> >> modification actually is working? >> > >> > A general test, like the one you performed, tests that the library can >> > be loaded (no missing symbols) and its functionality executed (I could >> > even provide some OOo basic code that directly uses the UNO component in >> > that library). >> > >> > There is a document to test the actual vulnerability, but it is only >> > accesible to members of the AOO security mailing list (due to the >> > obvious reasons). I quote a mail from the development mailing list: >> > >> > >> >> For #3, I'm sure many of us can help. We have a proof of concept file >> >> that shows the exploit that we can test against, but we need to take >> >> extreme measures to ensure that filed is not publicly disclosed. >> > >> > I tested on >> > >> > Fedora 16 - 64 bits >> > Ubuntu 11.10 (Oneiric Ocelot) - 64 bits >> > Ubuntu 10.04.4 LTS (Lucid Lynx) - 32 bits >> > >> > The problem is that I couldn't reproduce the issue: OOo 3.3 simply >> > *crashes* when trying to open the bug document lin.odt (the report says >> > it should perform some malicious actions). >> > >> > The good news is that replacing the old library with the patched library >> > solves the crash, and does not reproduce the vulnerability issue. >> > >> > I am not sure if anyone has been able to reproduce the issue on Linux >> > with OOo 3.3. May be we can give you the file to test it, it would be >> > nice to have someone else testing it. If someone knows we are able to do >> > so, please let us know. >> > >> >> Absolutely not. The test exploit file must *not* be shared. > > That's what I guessed. So how will we proceed? I couldn't reproduce the > exploit in any of the three distros I tried, OOo 3.3 only crashes but > does not exploit as expected. >
This the kind of thing we should probably discuss on the ooo-security list. -Rob > We have the solution (the library from AOO RC1 can be used as > a replacement), but IMO we need some more testing with the test exploit > file. > > > Regards > -- > Ariel Constenla-Haile > La Plata, Argentina --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
