You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by pe...@apache.org on 2015/04/26 17:55:33 UTC
svn commit: r1676119 - in /openoffice/ooo-site/trunk/content/security:
bulletin.html cves/CVE-2015-1774.html
Author: pescetti
Date: Sun Apr 26 15:55:33 2015
New Revision: 1676119
URL: http://svn.apache.org/r1676119
Log:
Put the CVE-2015-1774 announcement online.
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html
Modified:
openoffice/ooo-site/trunk/content/security/bulletin.html
Modified: openoffice/ooo-site/trunk/content/security/bulletin.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/bulletin.html?rev=1676119&r1=1676118&r2=1676119&view=diff
==============================================================================
--- openoffice/ooo-site/trunk/content/security/bulletin.html (original)
+++ openoffice/ooo-site/trunk/content/security/bulletin.html Sun Apr 26 15:55:33 2015
@@ -19,6 +19,11 @@
<p><strong>If you want to stay up to date on Apache OpenOffice security announcements, please subscribe to our <a href="alerts.html">security-alerts mailing list</a>.</strong></p>
+ <h3>Current for Apache OpenOffice 4.1.1 (workaround available)</h3>
+<ul>
+<li><a href="cves/CVE-2015-1774.html">CVE-2015-1774</a>: OpenOffice HWP Filter Remote Execution and DoS Vulnerability</li>
+</ul>
+
<h3>Fixed in Apache OpenOffice 4.1.1</h3>
<ul>
<li><a href="cves/CVE-2014-3575.html">CVE-2014-3575</a>: Targeted Data Exposure Using Creafted OLE Objects in Apache OpenOffice</li>
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html
URL: http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html?rev=1676119&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2015-1774.html Sun Apr 26 15:55:33 2015
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://www.w3.org/2005/10/profile">
+ <title>CVE-2014-3575</title>
+ <style type="text/css"></style>
+</head>
+
+<body>
+ <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774">CVE-2015-1774</a></h2>
+
+ <h3>OpenOffice HWP Filter Remote Code Execution and Denial of Service</h3>
+
+ <ul>
+ <h4>Severity: Important</h4>
+ <h4>Vendor: The Apache Software Foundation</h4>
+ <h4>Versions Affected:</h4>
+ <ul>
+ <li>Apache OpenOffice 4.1.1 and older.</li>
+ </ul>
+
+ <h4>Description</h4>
+ <p>A vulnerability in OpenOffice's HWP filter allows attackers to cause a
+denial of service (memory corruption and application crash) or possibly
+execution of arbitrary code by preparing specially crafted documents in
+the HWP document format.</p>
+
+ <h4>Mitigation</h4>
+ <p>Apache OpenOffice users are advised to remove the problematic library in
+the "program" folder of their OpenOffice installation. On Windows it is
+named "hwp.dll", on Mac it is named "libhwp.dylib" (step-by-step instructions: go to the Applications folder in Finder;
+right click on OpenOffice.app; click on "Show Package Contents"; then search for the file "libhwp.dylib" with Finder's search function, or
+Look for it in the folder "Contents/MacOS"; then delete the file) and on Linux it is
+named "libhwp.so". Alternatively the library can be renamed to anything
+else e.g. "hwp_renamed.dll".
+This mitigation will drop support for documents created in "Hangul
+Word Processor" versions from 1997 or older. Users of such documents are
+advised to convert their documents to other document formats such as
+OpenDocument before doing so.</p>
+
+ <h4>Further information</h4>
+ <p>Apache OpenOffice aims to fix the vulnerability in version 4.1.2, not released yet.</p>
+
+ <h4>Credits</h4>
+ <p>Thanks to an anonymous contributor working with VeriSign iDefense Labs.</p>
+
+ <hr />
+
+ <p><a href="http://security.openoffice.org">Security Home</a>
+ -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a>
+ -> <a href="http://security.openoffice.org/security/cves/CVE-2014-3575.html">CVE-2014-3575</a></p>
+</body>
+</html>
+