Re: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
In prep for 4.1.10 (and our 1st release candidate), we're using https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.10 for tracking. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
Thank you Dave for all your work and co-ordination with security, the reporter, and communications. Best regards, Carl On 4/15/21 4:06 PM, Dave Fisher wrote: Hi - Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so. See https://bz.apache.org/ooo/show_bug.cgi?id=49802 Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed. Arrigo restored the code and Carl added some protocol checks: https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.” Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that: https://github.com/apache/openoffice/pull/127 Topics for 4.2.0 include: (1) A better dialog box for the hyperlink security warning (2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially: - No Security - What we have now - And only help links All The Best, Dave On Apr 15, 2021, at 12:34 PM, Dave Fisher wrote: Hi - We are working on releasing 4.1.10 soon do to this security report [1] which was announced today. I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing. All The Best, Dave [1] https://positive.security/blog/url-open-rce On Apr 15, 2021, at 12:18 PM, Dave Fisher wrote: Severity: moderate Description: The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink. Credit: Fabian Bräunlein and Lukas Euler of Positive Security - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in Hyperlinks
Hi - Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so. See https://bz.apache.org/ooo/show_bug.cgi?id=49802 Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed. Arrigo restored the code and Carl added some protocol checks: https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.” Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that: https://github.com/apache/openoffice/pull/127 Topics for 4.2.0 include: (1) A better dialog box for the hyperlink security warning (2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially: - No Security - What we have now - And only help links All The Best, Dave > On Apr 15, 2021, at 12:34 PM, Dave Fisher wrote: > > Hi - > > We are working on releasing 4.1.10 soon do to this security report [1] which > was announced today. > > I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel > Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. > Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and > testing. > > All The Best, > Dave > > [1] https://positive.security/blog/url-open-rce > >> On Apr 15, 2021, at 12:18 PM, Dave Fisher wrote: >> >> Severity: moderate >> >> Description: >> >> The project received a report that all versions of Apache OpenOffice through >> 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about >> 2006 and the issue is also in 4.1.9. If the link is specifically crafted >> this could lead to untrusted code execution. It is always best practice to >> be careful opening documents from unknown and unverified sources. The >> mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security >> warning is displayed giving the user the option of continuing to open the >> hyperlink. >> >> Credit: >> >> Fabian Bräunlein and Lukas Euler of Positive Security >> >> > - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org