[gentoo-announce] [ GLSA 200410-17 ] OpenOffice.org: Temporary files disclosure - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-17 ] OpenOffice.org: Temporary files disclosure
Date:	Wed, 20 Oct 2004 21:17:19
Message-Id:	`4176D54E.70507@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200410-17

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: OpenOffice.org: Temporary files disclosure

9

      Date: October 20, 2004

10

      Bugs: #63556

11

        ID: 200410-17

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

OpenOffice.org uses insecure temporary files which could allow a

19

malicious local user to gain knowledge of sensitive information from

20

other users' documents.

21

22

Background

23

==========

24

25

OpenOffice.org is an office productivity suite, including word

26

processing, spreadsheets, presentations, drawings, data charting,

27

formula editing, and file conversion facilities.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package                       /  Vulnerable  /         Unaffected

34

    -------------------------------------------------------------------

35

  1  app-office/openoffice             == 1.1.2                < 1.1.2

36

                                                              >= 1.1.3

37

  2  app-office/openoffice-bin         == 1.1.2                < 1.1.2

38

                                                              >= 1.1.3

39

  3  app-office/openoffice-ximian      == 1.1.60              < 1.1.60

40

                                       == 1.1.61              >= 1.3.4

41

    -------------------------------------------------------------------

42

     3 affected packages on all of their supported architectures.

43

    -------------------------------------------------------------------

44

45

Description

46

===========

47

48

On start-up, OpenOffice.org 1.1.2 creates a temporary directory with

49

insecure permissions. When a document is saved, a compressed copy of it

50

can be found in that directory.

51

52

Impact

53

======

54

55

A malicious local user could obtain the temporary files and thus read

56

documents belonging to other users.

57

58

Workaround

59

==========

60

61

There is no known workaround at this time.

62

63

Resolution

64

==========

65

66

All affected OpenOffice.org users should upgrade to the latest version:

67

68

    # emerge sync

69

70

    # emerge -pv ">=app-office/openoffice-1.1.3"

71

    # emerge ">=app-office/openoffice-1.1.3"

72

73

All affected OpenOffice.org binary users should upgrade to the latest

74

version:

75

76

    # emerge sync

77

78

    # emerge -pv ">=app-office/openoffice-bin-1.1.3"

79

    # emerge ">=app-office/openoffice-bin-1.1.3"

80

81

All affected OpenOffice.org Ximian users should upgrade to the latest

82

version:

83

84

    # emerge sync

85

86

    # emerge -pv ">=app-office/openoffice-ximian-1.3.4"

87

    # emerge ">=app-office/openoffice-1.3.4"

88

89

References

90

==========

91

92

  [ 1 ] CAN-2004-0752

93

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752

94

  [ 2 ] OpenOffice.org Issue 33357

95

        http://www.openoffice.org/issues/show_bug.cgi?id=33357

96

97

Availability

98

============

99

100

This GLSA and any updates to it are available for viewing at

101

the Gentoo Security Website:

102

103

  http://security.gentoo.org/glsa/glsa-200410-17.xml

104

105

Concerns?

106

=========

107

108

Security is a primary focus of Gentoo Linux and ensuring the

109

confidentiality and security of our users machines is of utmost

110

importance to us. Any security concerns should be addressed to

111

security@g.o or alternatively, you may file a bug at

112

http://bugs.gentoo.org.

113

114

License

115

=======

116

117

Copyright 2004 Gentoo Foundation, Inc; referenced text

118

belongs to its owner(s).

119

120

The contents of this document are licensed under the

121

Creative Commons - Attribution / Share Alike license.

122

123

http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200410-17
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: OpenOffice.org: Temporary files disclosure
9	Date: October 20, 2004
10	Bugs: #63556
11	ID: 200410-17
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	OpenOffice.org uses insecure temporary files which could allow a
19	malicious local user to gain knowledge of sensitive information from
20	other users' documents.
21
22	Background
23	==========
24
25	OpenOffice.org is an office productivity suite, including word
26	processing, spreadsheets, presentations, drawings, data charting,
27	formula editing, and file conversion facilities.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 app-office/openoffice == 1.1.2 < 1.1.2
36	>= 1.1.3
37	2 app-office/openoffice-bin == 1.1.2 < 1.1.2
38	>= 1.1.3
39	3 app-office/openoffice-ximian == 1.1.60 < 1.1.60
40	== 1.1.61 >= 1.3.4
41	-------------------------------------------------------------------
42	3 affected packages on all of their supported architectures.
43	-------------------------------------------------------------------
44
45	Description
46	===========
47
48	On start-up, OpenOffice.org 1.1.2 creates a temporary directory with
49	insecure permissions. When a document is saved, a compressed copy of it
50	can be found in that directory.
51
52	Impact
53	======
54
55	A malicious local user could obtain the temporary files and thus read
56	documents belonging to other users.
57
58	Workaround
59	==========
60
61	There is no known workaround at this time.
62
63	Resolution
64	==========
65
66	All affected OpenOffice.org users should upgrade to the latest version:
67
68	# emerge sync
69
70	# emerge -pv ">=app-office/openoffice-1.1.3"
71	# emerge ">=app-office/openoffice-1.1.3"
72
73	All affected OpenOffice.org binary users should upgrade to the latest
74	version:
75
76	# emerge sync
77
78	# emerge -pv ">=app-office/openoffice-bin-1.1.3"
79	# emerge ">=app-office/openoffice-bin-1.1.3"
80
81	All affected OpenOffice.org Ximian users should upgrade to the latest
82	version:
83
84	# emerge sync
85
86	# emerge -pv ">=app-office/openoffice-ximian-1.3.4"
87	# emerge ">=app-office/openoffice-1.3.4"
88
89	References
90	==========
91
92	[ 1 ] CAN-2004-0752
93	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752
94	[ 2 ] OpenOffice.org Issue 33357
95	http://www.openoffice.org/issues/show_bug.cgi?id=33357
96
97	Availability
98	============
99
100	This GLSA and any updates to it are available for viewing at
101	the Gentoo Security Website:
102
103	http://security.gentoo.org/glsa/glsa-200410-17.xml
104
105	Concerns?
106	=========
107
108	Security is a primary focus of Gentoo Linux and ensuring the
109	confidentiality and security of our users machines is of utmost
110	importance to us. Any security concerns should be addressed to
111	security@g.o or alternatively, you may file a bug at
112	http://bugs.gentoo.org.
113
114	License
115	=======
116
117	Copyright 2004 Gentoo Foundation, Inc; referenced text
118	belongs to its owner(s).
119
120	The contents of this document are licensed under the
121	Creative Commons - Attribution / Share Alike license.
122
123	http://creativecommons.org/licenses/by-sa/1.0