What's next for Apache OpenOffice
What's next for Apache OpenOffice
Posted Sep 13, 2016 15:55 UTC (Tue) by bunk (subscriber, #44933)In reply to: What's next for Apache OpenOffice by orcmid
Parent article: What's next for Apache OpenOffice
What went wrong with CVE-2016-1513, resulting in even http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1513 not mentioning that older LO versions are vulnerable?
> Minor correction #2: Technically, there was no "license change." Oracle holds the copyright and all code released under LGPL2 is still under LGPL2. What Oracle did was grant a different license to the Apache Software Foundation (not unlike Sun made different license arrangements with commercial producers). The grant to the ASF allowed ASF to distribute the to-ASF licensed code under a license of its choosing, hence the Apache License.
One could say AOO was created with a licensing that makes it impossible for AOO to take code from LO.
(Whether that was done intentionally by Oracle is a separate question.)
The important point is the order of events - no matter how you call it, the problem was introduced by the AOO side months after LO was started.
> Similarly, IBM made a license grant to ASF for their originally closed-source Lotus Symphony code derived from the OpenOffice.org code licensed to them. Indeed, it is only through Apache that any code developed for Symphony finds its way into LibreOffice.
It seems there is/was a lot of politics by Oracle and IBM involved.
I do not see a fundamental reason why IBM could not just have relicensed the Symphony code under the ASL, and then publish it as a tarball somewhere. Less work for them, and the code is in LO a year earlier.
Posted Sep 13, 2016 17:08 UTC (Tue)
by orcmid (guest, #74478)
[Link] (1 responses)
The reporter only provided their result for AOO 4.1.2. My mistake was I confirmed that the defect is not in a current release of LibreOffice and did not consider the case of down-version releases that would still be under maintenance.
I did inform [Officesecurity] before our disclosure, but it was very short notice.
To avoid that happening again, we are now always informing [Officesecurity] of pending AOO disclosures of defects that might still matter in that community, and they get to decide whether that is the case or not.
I didn't word the CVE and I have no account for that. The AOO advisory, linked from that CVE does mention the prospect. Of course that doesn't name other products. I assume that other descendants of the openoffice.org code base will issue their own advisories as they see fit. I know the patch we published is used by at least one other.
Posted Sep 13, 2016 19:30 UTC (Tue)
by bunk (subscriber, #44933)
[Link]
My guess (that could be wrong) would be that they found the issue while checking which of the fuzzing fixes in LO might be exploitable.
It isn't that uncommon that someone finds vulnerabilities in Open Source software by going through normal bugfixes - until the fix has reached all users, there are still years where it can be exploited if the finder has intentions other than publishing.
> I assume that other descendants of the openoffice.org code base will issue their own advisories as they see fit. I know the patch we published is used by at least one other.
What other direct (not through LO) descendants exist of the AOO code base?
The only area where AOO could have an advantage over LO would be for companies who don't want to use LO for license reasons.
And these descendants should have a financial interest in keeping AOO alive.
What's next for Apache OpenOffice
What's next for Apache OpenOffice