OpenOffice.org details vulnerability

The problem in its freely distributed productivity applications has been fixed, the organisation said late on Tuesday but no patch has yet been issued.

The flaw, first discovered in late March, according to postings on the group's Web site, is present in OpenOffice Version 1.1.4 and the OpenOffice Version 2.0 beta release of the applications, as well as in earlier versions of those applications.

According to the OpenOffice site, the flaw was found in one specific function of the software and could be exploited by files designed to exploit the vulnerability. OpenOffice.org said the flaw may have allowed for remote execution of malicious code on computers running the affected OpenOffice applications.

Security researchers following the issue rated the flaw as relatively serious, with Secunia labelling the vulnerability as "moderately critical," its rating for issues that can compromise systems but that require user interaction in order to be exploited.

The flaw has now been effectively addressed by eliminating coding bugs that created the vulnerability, according to members of the OpenOffice community, the group of open-source software developers that contributes to the expansion of the software.

While OpenOffice contributors said on the site that they have identified and fixed the issue, the group has yet to publicly issue a patch to address the problem.

The ability for OpenOffice software users to fix problems on the fly -- the open-source development model allows collaborators to view code and submit changes such as bug fixes or enhancements -- has been highlighted by the group as one of the advantages of its applications. For instance, rival Microsoft typically issues security patch updates for its Windows products once a month.

• Related stories

• Alerts

Add your opinion

I thought many eyes made bugs ...Anonymous -- 14/04/05

I thought many eyes made bugs shallow, code going through many verification processes due to high involvement from the community....this doesn't prove the open source case any more than any other OS and application vendor, it seems to make them the same.

• Reply to comment
• Reply to story
• Report offensive content

> I thought many eyes made ...Anonymous -- 14/04/05

> I thought many eyes made bugs shallow, code going through many verification processes due to high involvement from the community....this doesn't prove the open source case any more than any other OS and application vendor, it seems to make them the same.

You are confused. Check this out (from my FC3 workstation: rpm -q --changelog opeoffice.org | head -n 3):

---------------------------
* Wed Apr 13 2005 Dan Williams <email-protected> - 1.1.3-11

- Fix CAN-2005-0941 (sot module overflow in .doc parsing)
---------------------------

How fast do you get updates from Microsoft? Not this fast (BTW, this was actually rather SLOW, compared to other problems in FOSS).

Also, how do think this bug was found by people that are NOT OpenOffice.org developers? How were they able to pin-point the part of code that was flawed? See original bug report:

http://www.openoffice.org/issues/show_bug.cgi?id=46388

• Reply to comment
• Reply to story
• Report offensive content

>You are confused. Check th ...Anonymous -- 14/04/05

>You are confused. Check this out (from my FC3
>workstation: rpm -q --changelog opeoffice.org |
>head -n 3):

It seems that everybody who says anything even remotely negative, or even compares open source software on an equal footing (as the previous poster did) with closed source software, is either confused or in the employ of microsoft... How can you fanatics ever be taken seriously when all you ever do is criticise the competition and make wild accusations?

>How fast do you get updates from Microsoft? Not
>this fast (BTW, this was actually rather SLOW,
>compared to other problems in FOSS).

The speed of the release is not of absolute importance... it's more that bug fixes are timely with respect to exploits being publically available. Microsoft have performed less than admirably in the past but are quickly picking up their game in this area.

>Also, how do think this bug was found by people
>that are NOT OpenOffice.org developers? How were
>they able to pin-point the part of code that was
>flawed? See original bug report:

Are you serious? Did you even think about what you were saying?? When is a bug EVER found by the developer? Very rarely in my experience... And i'm not just referring to Microsoft. Sure, having access to the code allows the bug finder to pinpoint the location, but all the developer is really interested in is knowing that there IS a bug! The exact location of it in the code is negligible work for the developer. The developer is unlikely to accept a bug fix from John Doe, who finds the bug, since they hardly want untrusted code in your project.

• Reply to comment
• Reply to story
• Report offensive content

> How can you fanatics [sni ...Anonymous -- 14/04/05

> How can you fanatics [snip]

Oh, please don't stop. You meant communists and terrorists, right? :-)

> Microsoft have performed less than admirably in the past but are quickly picking up their game in this area.

Ha, ha! An understatement of the century. A company with $40G in the bank cannot release security fixes on time, but "they are picking up their game". Please, don't stop, this is really entertaining...

> When is a bug EVER found by the developer?

Many times, actually. But how would you know?

> Sure, having access to the code allows the bug finder to pinpoint the location, but all the developer is really interested in is knowing that there IS a bug!

Just shows how you have no idea how complicated a piece of software can really be. The bugs that cause crashes and security problem can sometimes be truly complicated beast. Are you seriously saying that nobody ever wants any help with them? Oh, sorry, I forget. You have all the knowledge, time and patience in the world, so as long as you're told that there is a but, you can fix it. Right!

> The exact location of it in the code is negligible work for the developer.

Rubbish.

> The developer is unlikely to accept a bug fix from John Doe, who finds the bug, since they hardly want untrusted code in your project.

For instance, this OpenOffice.org bug had this fix on Bugtraq:

Index: sot/source/sdstor/stgole.cxx
===================================================================
RCS file: /cvs/util/sot/source/sdstor/stgole.cxx,v
retrieving revision 1.4
diff -u -p -u -r1.4 stgole.cxx
--- sot/source/sdstor/stgole.cxx 22 Jul 2002 12:28:43 -0000 1.4
+++ sot/source/sdstor/stgole.cxx 12 Apr 2005 10:14:48 -0000
@@ -157,7 +157,7 @@ BOOL StgCompObjStream::Load()
INT32 nLen1 = 0;
*this >> nLen1;
sal_Char* p = new sal_Char[ (USHORT) nLen1 ];
- if( Read( p, nLen1 ) == (ULONG) nLen1 )
+ if( Read( p, (USHORT) nLen1 ) == (ULONG) nLen1 )
{
aUserName = String( p, gsl_getSystemTextEncoding() );
/* // Now we can read the CB format

Which part of it isn't clear to you? Oh, I forget, you don't understand any of it anyway.

• Reply to comment
• Reply to story
• Report offensive content

>> How can you fanatics ...Anonymous -- 15/04/05

>> How can you fanatics [snip]
>Oh, please don't stop. You meant communists and
>terrorists, right? :-)

Ah, no... I mean fanatic. The word from which fan was derived. People can be fanatical about anything. Even software, it would seem!

>> Microsoft have performed less than admirably
>>in the past but are quickly picking up their
>>game in this area.

>Ha, ha! An understatement of the century. A
>company with $40G in the bank cannot release
>security fixes on time, but "they are picking up
>their game". Please, don't stop, this is really
>entertaining...

Well i'm glad you're entertained... I know I certainly am. $40G in the bank? I think your fingers are working too fast for your brain.

>> When is a bug EVER found by the developer?

>Many times, actually. But how would you know?

Well, let me see... I'm currently project manager of an application suite exceeding 1 million lines of code. I've had 20years experience as a developer on numerous projects, including some small commercial ventures. In my experience, once the code is commercially released, the only bugs fixed by the developers are those reported to them by the customer. It simply wouldn't be commercially viable to have them continue going through code looking for something that may or may not exist.

>> Sure, having access to the code allows the bug
>>finder to pinpoint the location, but all the
>>developer is really interested in is knowing
>>that there IS a bug!

>Just shows how you have no idea how complicated
>a piece of software can really be. The bugs that
>cause crashes and security problem can sometimes
>be truly complicated beast. Are you seriously
>saying that nobody ever wants any help with
>them? Oh, sorry, I forget. You have all the
>knowledge, time and patience in the world, so as
>long as you're told that there is a but, you can
>fix it. Right!

Oh, I'm very much aware of how complicated a piece of software can be. The only bugs that are truly difficult to track down in code are those that can not be consistently reproduced... Generally a bug won't be reported unless it CAN be reproduced. I'm not saying that there are not bugs of the type that you describe, but I am saying that they are quite rare. I would love it if my customers could help me locate an intermittent bug in the application, but I really don't think there are many end users who have the skill to track down something like this. I find that the open source community will consistently overstate the importance of viewing code, when in fact a VERY small minority of end users would be able to understand any of it anyway. Those who do understand it, could just as easily be loooking for vulnerabilities for their own nefarious purposes. You claim to be a "hacker"? Forgetting the real meaning of the word for a minute and focussing on the common meaning... What is it you "hack"? Have you ever looked at the code, trying to find a backdoor or exploit for your own use?

>> The exact location of it in the code is
>>negligible work for the developer.

>Rubbish.

The vast majority of reproducable bugs that I have dealt with would be located within 5 minutes. Notice, I was referring to LOCATING the bug, not fixing it.

>> The developer is unlikely to accept a bug fix
>>from John Doe, who finds the bug, since they
>>hardly want untrusted code in your project.

>For instance, this OpenOffice.org bug had this >fix on Bugtraq:

>Which part of it isn't clear to you? Oh, I >forget, you don't understand any of it anyway.

I'm saying that code supplied by John Doe could never be incorporated without developer review, due to the security risk involved. If I were managing the project, I certainly wouldn't want a mish-mash of code styles within my project. It would have to adhere to the framework I defined at the project planning stage, so at the least one of my developers would be formatting and re-writing

• Reply to comment
• Reply to story
• Report offensive content

> $40G in the bank? I think ...Anonymous -- 15/04/05

> $40G in the bank? I think your fingers are working too fast for your brain.

OK, I'll do it really slow for you:

$40,000,000,000 == $40G

Actually, it's a bit more probably:

http://money.cnn.com/2004/02/26/technology/techinvestor/lamonica/

> It simply wouldn't be commercially viable to have them continue going through code looking for something that may or may not exist.

Welcome to open source.

> You claim to be a "hacker"?

http://catb.org/~esr/jargon/html/H/hacker.html

> The vast majority of reproducable bugs that I have dealt with would be located within 5 minutes. Notice, I was referring to LOCATING the bug, not fixing it.

Now it's "vast majority". Uh, oh...

• Reply to comment
• Reply to story
• Report offensive content

>> $40G in the bank? I t ...Anonymous -- 16/04/05

>> $40G in the bank? I think your fingers are
>>working too fast for your brain.
>OK, I'll do it really slow for you:
>$40,000,000,000 == $40G

I don't know... but that looks like $40 Billion to me. Where exactly does the G come from?

Really, you sound like a politition, selectively retorting only the points that make you appear to know what you're talking about.

I'll make it simple for you to answer the key points i have raised:

WHAT EXACTLY QUALIFIES YOU TO COMMENT ON DEVELOPMENT RELATED ISSUES SUCH AS THIS?

WHAT IS YOUR EXPERIENCE, AND FOR THAT MATTER HOW MUCH OF IT DO YOU HAVE?

• Reply to comment
• Reply to story
• Report offensive content

> I don't know... but that ...Anonymous -- 18/04/05

> I don't know... but that looks like $40 Billion to me. Where exactly does the G come from?

The G comes from (and you should know this, being involved in IT and all) from Giga. So, $1G means 1 Giga Buck. Kinda like with you sallary... Also used in: "Jason makes $150k a year." Meaning, he earns 150 Kilo Bucks every year.

> WHAT EXACTLY QUALIFIES YOU TO COMMENT ON DEVELOPMENT RELATED ISSUES SUCH AS THIS?

Nothing at all. One does not need to be qualified to make comments on ZDNet.

> WHAT IS YOUR EXPERIENCE, AND FOR THAT MATTER HOW MUCH OF IT DO YOU HAVE?

I have no experience. I was born yesterday.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials