Hi :) I am not 100% sure but LO has quietly dealt with a couple of potential threats of that nature quite a long time ago. The 3.4.0 and i think another in that same line were both quietly being pushed due to some known issue in the 3.3.x line. Most of us just ignored it and carried on using the supposedly problematic versions and had no problems though.
Also i know that some of the code and patches have been quietly shared between the projects even when Oracle were being all stuffy about it so i really don't know if they are fixing something that LO already fixed ages ago or if this is something new. The 2 projects are very divergent now. Only around 12% of the code hasn't been touched at all. Although, as Umas said some of the changes may have been just removal or rewrites of commented-out lines. Regards from Tom :) >________________________________ > From: Girvin R. Herr <girvin.h...@sbcglobal.net> >To: Tom Davies <tomdavie...@yahoo.co.uk> >Cc: Tanstaafl <tansta...@libertytrek.org>; "users@global.libreoffice.org" ><users@global.libreoffice.org> >Sent: Friday, 26 July 2013, 21:57 >Subject: Re: [libreoffice-users] Attempting to open any Microsoft XML document >causes General I/O error after upgrade to 4.1 > > >FWIW: >I do not know the correlation of versions between LO and AOO, but today >I got the following two security reports from the AOO users forum: > >------------------------------------------------------- > >CVE-2013-2189 >OpenOffice DOC Memory Corruption Vulnerability > >Severity: Important >Vendor: The Apache Software Foundation > >Versions Affected: > Apache OpenOffice 3.4.0 to 3.4.1 on all platforms. > Predecessor versions of OpenOffice.org may be also affected. > >Description: > > The vulnerability is caused by operating on invalid PLCF (Plex of >Character Positions in File) data when parsing a malformed DOC document >file. Specially crafted documents can be used for denial-of-service >attacks. Further exploits are possible but have not been verified. > >Mitigation: > > Apache OpenOffice 3.4 users are advised to upgrade to Apache >OpenOffice 4.0. Users who are unable to upgrade immediately should be >cautious when opening untrusted documents. > >Credits: > > The Apache OpenOffice Security Team credits Jeremy Brown of >Microsoft Vulnerability Research as the discoverer of this flaw. > >Herbert Dürr >Member of the Apache OpenOffice Security Team > >------------------------------------------- > >CVE-2013-4156 >OpenOffice DOCM Memory Corruption Vulnerability > >Severity: Important >Vendor: The Apache Software Foundation > >Versions Affected: > Apache OpenOffice 3.4.0 and 3.4.1, on all platforms. > Predecessor versions of OpenOffice.org may be also affected. > >Description: > > The vulnerability is caused by mishandling of unknown XML elements >when parsing a OOXML document file. Specially crafted documents can be >used for memory-corruption attacks. Further exploits are possible but >have not been verified. > >Mitigation > > Apache OpenOffice 3.4.0 and 3.4.1 users are advised to upgrade to >Apache OpenOffice 4.0. Users who are unable to upgrade immediately >should be cautious when opening untrusted documents. > >Credits > > The Apache OpenOffice Security Team credits Jeremy Brown of >Microsoft Vulnerability Research as the discoverer of this flaw. > >Herbert Dürr >Member of the Apache OpenOffice Security Team > >------------------------------------------ > >Could this be related, in that now LO 4.1 rejects such files where LO >4.0 did not? >Just a messenger. >Girvin Herr > > >Tom Davies wrote: >> Hi :) >> I sometimes get that from files "on the network" but when i copy them to >> local desktop machine they work fine. I've not really been tracking which >> versions it happens with. There seems to be something about the memory >> settings as higher spec machines with memory settings radically bumped right >> up seem to suffer this a lot less. They still get it occasionally tho. >> >> I thought it was my inexperience with networking or something >> Regard from >> Tom :) >> >> >> >> >> >> >>> ________________________________ >>> From: Tanstaafl <tansta...@libertytrek.org> >>> To: users@global.libreoffice.org >>> Sent: Friday, 26 July 2013, 11:33 >>> Subject: [libreoffice-users] Attempting to open any Microsoft XML document >>> causes General I/O error after upgrade to 4.1 >>> >>> >>> Just wanted to check here before I go open a bug... >>> >>> I just upgraded to 4.1, everything seemed fine, but I encountered a >>> .docx document this morning, and got the dreaded 'General I/O' error. >>> >>> I then tried a bunch of different XML documents (.docx, .xslx, and >>> .pptx), and every one resulted in the same error. >>> >>> These are all docs that opened fine in 4.0.4 >>> >>> Will go back to 4.0.4 and confirm it resolves the problem... >>> >>> -- >>> To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org >>> Problems? >>> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ >>> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette >>> List archive: http://listarchives.libreoffice.org/global/users/ >>> All messages sent to this list will be publicly archived and cannot be >>> deleted >>> >>> >>> >>> > >-- >To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org >Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ >Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette >List archive: http://listarchives.libreoffice.org/global/users/ >All messages sent to this list will be publicly archived and cannot be deleted > > > -- To unsubscribe e-mail to: users+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
