You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by John <se...@fastmail.com> on 2016/08/30 21:51:57 UTC

Thanx..

Dear Dennis,  Thanks again, for staying up on these crucial items..
and.. letting us know what's happening.  For everyone (one) person, like
me, who thanks you.. I am SURE, there litteraly THOUSANDS, who feel the
same.. but just don't write you..  Halvy (John) :)





 On Tue, Aug 30, 2016, at 08:11 AM, Dennis E. Hamilton wrote:
> The change is availability of a Hotfix.  -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256   CVE-2016-1513
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1513> Apache
> OpenOffice Advisory
> <https://www.openoffice.org/security/cves/CVE-2016-1513.html>  Title:
> Memory Corruption Vulnerability (Impress Presentations)  Version 2.0
> Updated August 30, 2016 Announced July 21, 2016   Description  An
> OpenDocument Presentation .ODP or Presentation Template .OTP file can
> contain invalid presentation elements that lead to memory corruption
> when the document is loaded in Apache OpenOffice Impress.  The defect
> may cause the document to appear as corrupted and OpenOffice may crash
> in a recovery- stuck mode.  A crafted exploitation of the defect can
> allow an attacker to cause denial of service (memory corruption and
> application crash) and possible execution of arbitrary code.  Impress
> cannot be used to directly produce documents having the CVE-2016-1513-
> related defect.  Impress-authored .ODP and .OTP documents of an user's
> own that exhibit any of these characteristics are not the result of an
> exploit.  They may be consequences of a separate Impress defect that
> should be reported.  Severity: Medium  There are no known exploits of
> this vulnerability. A proof-of-concept demonstration exists.  Vendor:
> The Apache Software Foundation  Versions Affected:  All Apache
> OpenOffice versions 4.1.2 and older are affected.  OpenOffice.org
> versions are also affected.  Mitigation:  Install the 4.1.2-patch1
> Hotfix available at
> <http://archive.apache.org/dist/openoffice/4.1.2-patch1/hotfix.html>.
> A source-code patch that blocks the vulnerability has been developed
> and is available for developers at
> <https://bz.apache.org/ooo/show_bug.cgi?id=127045>.  Antivirus
> products can detect documents attempting to exploit this vulnerability
> by employing Snort Signature IDs 35828-35829.  Defenses and Work-
> Arounds:  If you are unable to apply the Hotfix to Apache OpenOffice
> 4.1.2 (after updating to that version, if necessary), there are other
> precautions that can be taken.  These precautions are applicable in
> avoiding other possible exploits as well.  For defects such as those
> involved in CVE-2016-1513, documents can be crafted to cause memory
> corruption enough to crash Apache OpenOffice.  Beyond that, however,
> the conditions under which arbitrary code can be executed are complex
> and difficult to achieve in an undetected manner.  An important layer
> of defense for all such cases is to avoid operating Apache OpenOffice
> (and any other personal productivity programs) under a computer
> account that has administrative privileges of any kind.  While
> installation of Apache OpenOffice requires elevated privileges and
> user permission on platforms such as Microsoft Windows, operation of
> the software does not.  Keeping antivirus/antimalware software current
> is also important. This will serve to identify and distinguish
> suspicious documents that involve the exploit, avoiding confusion with
> documents that are damaged and/or fail for other reasons.  Further
> Information:  For additional information and assistance, consult the
> Apache OpenOffice Community Forums, <https://forum.openoffice.org/> or
> make requests to the <ma...@openoffice.apache.org> public
> mailing list.  Defects not involving suspected security
> vulnerabilities can be reported via
> <http://www.openoffice.org/qa/issue_handling/pre_submission.html>.
> The latest information on Apache OpenOffice security bulletins can be
> found at the Bulletin Archive page
> <http://www.openoffice.org/security/bulletin.html>.  Credits:  The
> Apache OpenOffice project acknowledges the discovery and analysis for
> CVE-2016-1513 by Yves Younan and Richard Johnson of Cisco Talos.  -----
> BEGIN PGP SIGNATURE----- Version: GnuPG v2
> iQEcBAEBCAAGBQJXxGFtAAoJEPluif/UVmKKMYkH/254PYIrlYdYi3e9CnE4a806
> 6IOsFEtTAaSKi0Pvbgb+ycyTEU4MHmgodpMjMnWRxS/OES3C8W7VvEhRSC6xhT1O
> czVmiPbd7nIf6K473DQzgFWhd2tci8gIpwNv6NgznV/gA+MePrhILv9JBfIe19AE
> UvQqgk+O5qd8I9qoxWSROQs1/syC6TMa52D2Fy97mgAKzlqDoN2vxfDyV1lIci3H
> PYEqYPHIwMGXeud+kAA1eJxcrC3jNqGgRJQD4646w0z1ewhZ3G4dNiHD+BFsBKph
> CcSR2/hZcv9H11YBO7jSFYUza8seRzzx/t79kJrvQgDGQLQOWYe7rZ0QbCsskEE= =O9aE
> -----END PGP SIGNATURE-----

>

- My alt email addy is: thee_law@yahoo.com


-- Words.. they are everything...