By Jake Edge
October 5, 2011
An October 5 press release from The
Document Foundation provides a bit of information about a vulnerability
that was fixed in recent versions of LibreOffice (LO). The vulnerability sounds
fairly serious: "This flaw could have been
used for nefarious purposes, such as installing viruses, through a
specially-crafted [.doc] file." It was evidently fixed, silently, in
versions 3.4.3 and 3.3.4 of LO, which were released in August. The details
(such as they are) were withheld "until users
have been given time to migrate to the new version", but it isn't at
all clear that Linux distributions have put out fixes yet. Worse still,
OpenOffice.org (OOo) is vulnerable as well, but there has been no release
from that project since January.
As of this writing, only Debian has released
a security update to address the problem, and that fix is only for
OOo as Debian hasn't had a release that contains LO. Other distributions
may have updated LO (and/or OOo), but just as bug fix releases. They may
have been misled by the release
notes for LO 3.4.3, which makes no mention of security fixes (nor does
the release notes for 3.3.4). Even the
detailed
list of fixes appears to be mute about the problem.
Now that the vulnerability has been made public as CVE-2011-2713
(just a placeholder at the moment), one would guess that other
distributions will be releasing updates soon as well. Even if a bug fix update
did pick up the fix, it would make sense for distributions to put
out a security alert so that their users will be more likely to upgrade.
But it's a little puzzling how we got to this point.
The problem was found by Red Hat security researcher Huzaifa Sidhpurwala
and was fixed by Caolan McNamara of
Red Hat and Marc-André Laverdière of Tata Consultancy
Services, according to the press release. That would seem to clearly show
that some folks at Red Hat (at least)
were aware of the problem. In fact, McNamara put out bug fix updates for both OOo
(for F14) and LO (for F15) in September that only mention "Update for
commonly reported crashes" and "Fixes for
commonly reported problems". Was the fix for CVE-2011-2713
included, but just not mentioned?
Press releases are not the usual way that vulnerabilities are announced, at
least in the free software world. The wording of that release certainly
indicates that the project was aware of the security implications of the
fix, but withheld the information in accordance with "industry best
practice". Perhaps the project was waiting until distributions were
able to update their LO packages (albeit silently), but that begs another
question: what about OOo?
One hopes that the press release is not the first time that the OOo
community is hearing about the vulnerability, but that seems to be the case.
When the press release was reported to the Apache OpenOffice (AOO)
development mailing list, Dennis Hamilton indicated that it might be the first notice
that AOO had received.
But Simon Phipps quoted an unnamed LO
developer who claimed to have alerted AOO:
I've investigated and I am informed by one of the LO developers:
> The initial report was sent to securityteam@openoffice.org on
> 25-07-2011, the assigned CVE id was cc'ed there somewhat later on. I
> posted the 5 patches which in combination would fix it to the list as
> well. I was informed an ApacheOOo representative had joined the list.
Evidently, an AOO representative was not added to the mailing
list, though, as Hamilton pointed out:
That information concerning an ApacheOOo representative on
securityteam@openoffice.org is apparently inaccurate. Or
else there is a breakdown in the vulnerability being
communicated to ApacheOOo.
It certainly would have been a nice
gesture—in keeping with "responsible disclosure"—for the LO folks to ensure that AOO was up to speed before
putting out a press release.
As Hamilton put it: "I trust this is the last time that either of our projects learn about
something like this in a press release."
But Hamilton also notes that the release mentions additional fixes:
Also, the
report refers to "some additional security patches and fixes"
without mention of any CVEs. It would be good to know what
that is about.
It's hard to disagree with that. There is no good reason that LO and AOO
can't work together on security issues, regardless of any other friction
there may be between the two. It's unfortunate that the "securityteam"
mailing list didn't include any AOO folks (one guesses that it does now or will
soon), but there is no reason that AOO should have learned about this
problem via press release.
The LO developer's message would seem to indicate that OOo is
vulnerable, but it's a
little too early to say for sure. It is possible that the problem only
exists in Go-OO-derived builds (which is what Linux distributions typically
shipped prior to LO coming on the scene). If OOo is vulnerable, it's also
unclear what AOO
will be able to do about it. At the moment,
AOO is in a state of flux as it transitions to an Apache incubator
project. There have been no releases of the AOO project and
it may still be a ways off before that can happen.
For Linux users, the problem will likely sort itself out in short order.
Distributions will patch LO and OOo if they haven't already and make them
available to their users. For Windows and Mac OS X users of OOo, though,
the picture is murkier—at least if the vulnerability exists in those
versions. There aren't distribution-like entities for applications on
those platforms and the AOO project is not (yet) in a position to do
security releases. It might be prudent for those users to consider
switching to LO, at least temporarily, until AOO sorts itself out. Being
cautious about opening random .doc files is another alternative,
but that's always been good advice, though it is rarely followed.
In the final analysis, the press release raises more questions than it
actually answers. What was, presumably, an attempt to shed some light on a
security flaw in LO instead muddied the waters considerably. One hopes
that a more transparent security process will come about for LO so that all
of its downstreams—as well as its AOO "sidestream"—are notified of
security problems in a timely way. In fact, both LO and AOO should be
thinking about proper ways to handle and announce security fixes, perhaps
along the lines of what Mozilla does.
It may be "industry standard" to
silently fix security holes, but free software communities can, and should,
do better than that.
Comments (16 posted)
Brief items
By the way, I'm now pretty convinced that allowing inbound ssh on
laptops (which is the default on all the mainline Linux distros as far
as I know) is seriously broken... laptops get connected to *extremely*
insecure networks on just way too regular a basis.
--
H. Peter Anvin
XML - the kudzu of the internet.
--
Valdis Kletnieks
Comments (12 posted)
New vulnerabilities
drupal6-views_bulk_operations: cross-site scripting
| Package(s): | drupal6-views_bulk_operations |
CVE #(s): | CVE-2011-3373
|
| Created: | October 3, 2011 |
Updated: | October 5, 2011 |
| Description: |
From the Red Hat bugzilla:
It was found in the way Drupal Views Builk Operations (VBO) module did not
escape the vocabulary help properly, when the vocabulary has had user tagging enabled and "Modify node taxonomy terms" action was used for modification of the taxonomy. A remote attacker could provide a specially-crafted URL, which once visited by unsuspecting Drupal user, disposing with the 'administer taxonomy' permission, could lead to arbitrary HTML or web script execution (cross-site scripting [XSS] attack).
|
| Alerts: |
|
Comments (none posted)
firefox: code execution
| Package(s): | firefox |
CVE #(s): | CVE-2011-2996
|
| Created: | October 3, 2011 |
Updated: | December 1, 2011 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerability in the plugin API in Mozilla Firefox 3.6.x
before 3.6.23 allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2011-2997
CVE-2011-3001
CVE-2011-3002
CVE-2011-3003
CVE-2011-3005
CVE-2011-3232
CVE-2011-3004
|
| Created: | September 30, 2011 |
Updated: | December 1, 2011 |
| Description: |
From the CVE entries:
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2011-2997)
Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent manual add-on installation in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that triggers an unspecified internal error. (CVE-2011-3001)
Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox before 7.0 and SeaMonkey before 2.4, does not validate the return value of a GrowAtomTable function call, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a memory-allocation error and a resulting buffer overflow. (CVE-2011-3002)
Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unspecified WebGL test case that triggers a memory-allocation error and a resulting out-of-bounds write operation. (CVE-2011-3003)
Use-after-free vulnerability in Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OGG headers in a .ogg file. (CVE-2011-3005)
YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, and SeaMonkey before 2.4, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. (CVE-2011-3232)
The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey before 2.4 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. (CVE-2011-3004) |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2011-2995
CVE-2011-2999
CVE-2011-3000
CVE-2011-2372
CVE-2011-2998
|
| Created: | September 30, 2011 |
Updated: | July 23, 2012 |
| Description: |
From the CVE entries:
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2011-2995)
Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170.
malicious web content. (CVE-2011-2999)
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values. (CVE-2011-3000)
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site. (CVE-2011-2372)
Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via JavaScript code containing a large RegExp expression. (CVE-2011-2998)
|
| Alerts: |
|
Comments (none posted)
openoffice,org, libreoffice: code execution
| Package(s): | openoffice.org libreoffice |
CVE #(s): | CVE-2011-2713
|
| Created: | October 5, 2011 |
Updated: | November 14, 2011 |
| Description: |
As was recently disclosed by the Document Foundation: "RedHat security researcher Huzaifa Sidhpurwala identified a memory corruption vulnerability in the code responsible for loading Microsoft Word documents in LibreOffice. This flaw could have been used for nefarious purposes, such as installing viruses, through a specially-crafted file." OpenOffice.org suffers from the same vulnerability. |
| Alerts: |
|
Comments (none posted)
openssl: denial of service
| Package(s): | openssl |
CVE #(s): | CVE-2011-3210
|
| Created: | October 5, 2011 |
Updated: | October 5, 2011 |
| Description: |
The OpenSSL ephemeral ECDH ciphersuite implementation is not thread-safe, allowing a remote attacker to force a server crash. Version 1.0.0e contains the necessary fix. |
| Alerts: |
|
Comments (none posted)
perl-FCGI: authentication bypass
| Package(s): | perl-FCGI |
CVE #(s): | CVE-2011-2766
|
| Created: | October 3, 2011 |
Updated: | January 5, 2012 |
| Description: |
From the CVE entry:
The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers. |
| Alerts: |
|
Comments (none posted)
puppet: privilege escalation/file overwrite
| Package(s): | puppet |
CVE #(s): | CVE-2011-3869
CVE-2011-3870
CVE-2011-3871
|
| Created: | October 3, 2011 |
Updated: | October 17, 2011 |
| Description: |
From the Ubuntu advisory:
It was discovered that Puppet unsafely opened files when the k5login type
is used to manage files. A local attacker could exploit this to overwrite
arbitrary files which could be used to escalate privileges. (CVE-2011-3869)
Ricky Zhou discovered that Puppet did not drop privileges when creating
SSH authorized_keys files. A local attacker could exploit this to overwrite
arbitrary files as root. (CVE-2011-3870)
It was discovered that Puppet used a predictable filename when using the
--edit resource. A local attacker could exploit this to edit arbitrary
files or run arbitrary code as the user invoking the program, typically
root. (CVE-2011-3871)
|
| Alerts: |
|
Comments (none posted)
puppet: directory traversal
| Package(s): | puppet |
CVE #(s): | CVE-2011-3848
|
| Created: | October 4, 2011 |
Updated: | October 27, 2011 |
| Description: |
From the Debian advisory:
Kristian Erik Hermansen reported that an unauthenticated
directory traversal could drop any valid X.509 Certificate Signing
Request at any location on disk, with the privileges of the Puppet
Master application. |
| Alerts: |
|
Comments (none posted)
quagga: buffer overflow and denial of service
| Package(s): | quagga |
CVE #(s): | CVE-2011-3323
CVE-2011-3324
CVE-2011-3325
CVE-2011-3326
CVE-2011-3327
|
| Created: | October 5, 2011 |
Updated: | September 14, 2012 |
| Description: |
Quagga suffers from four denial of service vulnerabilities and one buffer overflow (CVE-2011-3323) that could presumably be exploited for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2011-3378
|
| Created: | October 4, 2011 |
Updated: | November 10, 2011 |
| Description: |
From the Red Hat advisory:
Multiple flaws were found in the way the RPM library parsed package
headers. An attacker could create a specially-crafted RPM package that,
when queried or installed, would cause rpm to crash or, potentially,
execute arbitrary code. (CVE-2011-3378)
Note: Although an RPM package can, by design, execute arbitrary code when
installed, this issue would allow a specially-crafted RPM package to
execute arbitrary code before its digital signature has been verified.
Package downloads from the Red Hat Network remain secure due to certificate
checks performed on the secure connection.
|
| Alerts: |
|
Comments (none posted)
samba: denial of service
| Package(s): | samba |
CVE #(s): | CVE-2011-3585
|
| Created: | October 5, 2011 |
Updated: | October 5, 2011 |
| Description: |
A vulnerability in Samba's mtab lock file handling allows a local user to create a stale lock file, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2011-3360
CVE-2011-3482
CVE-2011-3483
CVE-2011-3484
|
| Created: | October 5, 2011 |
Updated: | January 27, 2012 |
| Description: |
Wireshark suffers from a search path vulnerability (CVE-2011-3360) that could allow a local attacker to cause the execution of a trojan-horse Lua script. There is also the usual set of dissector vulnerabilities; version 1.6.2 contains the fixes. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
