You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by Dave Fisher <wa...@apache.org> on 2021/04/15 19:18:30 UTC
CVE-2021-30245: Code execution in Apache OpenOffice via non-http(s)
schemes in Hyperlinks
Severity: moderate
Description:
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
Credit:
Fabian Bräunlein and Lukas Euler of Positive Security
Re: Code execution in Apache OpenOffice via non-http(s) schemes in
Hyperlinks
Posted by Jim Jagielski <ji...@jaguNET.com>.
In prep for 4.1.10 (and our 1st release candidate), we're using
https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.10
for tracking.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in
Hyperlinks
Posted by Carl Marcum <cm...@apache.org>.
Thank you Dave for all your work and co-ordination with security, the
reporter, and communications.
Best regards,
Carl
On 4/15/21 4:06 PM, Dave Fisher wrote:
> Hi -
>
> Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so.
>
> See https://bz.apache.org/ooo/show_bug.cgi?id=49802
>
> Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed.
>
> Arrigo restored the code and Carl added some protocol checks:
> https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b
>
> This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.”
>
> Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that:
> https://github.com/apache/openoffice/pull/127
>
> Topics for 4.2.0 include:
> (1) A better dialog box for the hyperlink security warning
> (2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially:
> - No Security
> - What we have now
> - And only help links
>
> All The Best,
> Dave
>
>
>> On Apr 15, 2021, at 12:34 PM, Dave Fisher <wa...@apache.org> wrote:
>>
>> Hi -
>>
>> We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
>>
>> I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
>>
>> All The Best,
>> Dave
>>
>> [1] https://positive.security/blog/url-open-rce
>>
>>> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>>>
>>> Severity: moderate
>>>
>>> Description:
>>>
>>> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>>>
>>> Credit:
>>>
>>> Fabian Bräunlein and Lukas Euler of Positive Security
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in
Hyperlinks
Posted by Carl Marcum <cm...@apache.org>.
Thank you Dave for all your work and co-ordination with security, the
reporter, and communications.
Best regards,
Carl
On 4/15/21 4:06 PM, Dave Fisher wrote:
> Hi -
>
> Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so.
>
> See https://bz.apache.org/ooo/show_bug.cgi?id=49802
>
> Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed.
>
> Arrigo restored the code and Carl added some protocol checks:
> https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b
>
> This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.”
>
> Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that:
> https://github.com/apache/openoffice/pull/127
>
> Topics for 4.2.0 include:
> (1) A better dialog box for the hyperlink security warning
> (2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially:
> - No Security
> - What we have now
> - And only help links
>
> All The Best,
> Dave
>
>
>> On Apr 15, 2021, at 12:34 PM, Dave Fisher <wa...@apache.org> wrote:
>>
>> Hi -
>>
>> We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
>>
>> I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
>>
>> All The Best,
>> Dave
>>
>> [1] https://positive.security/blog/url-open-rce
>>
>>> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>>>
>>> Severity: moderate
>>>
>>> Description:
>>>
>>> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>>>
>>> Credit:
>>>
>>> Fabian Bräunlein and Lukas Euler of Positive Security
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in
Hyperlinks
Posted by Dave Fisher <wa...@apache.org>.
Hi -
Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so.
See https://bz.apache.org/ooo/show_bug.cgi?id=49802
Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed.
Arrigo restored the code and Carl added some protocol checks:
https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b
This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.”
Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that:
https://github.com/apache/openoffice/pull/127
Topics for 4.2.0 include:
(1) A better dialog box for the hyperlink security warning
(2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially:
- No Security
- What we have now
- And only help links
All The Best,
Dave
> On Apr 15, 2021, at 12:34 PM, Dave Fisher <wa...@apache.org> wrote:
>
> Hi -
>
> We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
>
> I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
>
> All The Best,
> Dave
>
> [1] https://positive.security/blog/url-open-rce
>
>> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>>
>> Severity: moderate
>>
>> Description:
>>
>> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>>
>> Credit:
>>
>> Fabian Bräunlein and Lukas Euler of Positive Security
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Code execution in Apache OpenOffice via non-http(s) schemes in
Hyperlinks
Posted by Dave Fisher <wa...@apache.org>.
Hi -
Here is some background on the issue which has apparently existed since about OpenOffice.org 2.0 in 2005 or so.
See https://bz.apache.org/ooo/show_bug.cgi?id=49802
Some confusion existed between types of hyperlinks and rather than filtering they were all allowed to proceed.
Arrigo restored the code and Carl added some protocol checks:
https://github.com/apache/openoffice/commit/aa358bfc895091e0ee5382ad1d25e5d51261463b
This current code will cause a warning for any http(s) hyperlinks that do not have an extension in the “whitelist.”
Some think that we should blanket allow all http(s) hyperlinks so I’ve created a PR for that:
https://github.com/apache/openoffice/pull/127
Topics for 4.2.0 include:
(1) A better dialog box for the hyperlink security warning
(2) Implement an option to allow users to choose from 3 levels of hyperlink security that is in the code, but not the settings. The levels in the code are essentially:
- No Security
- What we have now
- And only help links
All The Best,
Dave
> On Apr 15, 2021, at 12:34 PM, Dave Fisher <wa...@apache.org> wrote:
>
> Hi -
>
> We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
>
> I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
>
> All The Best,
> Dave
>
> [1] https://positive.security/blog/url-open-rce
>
>> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>>
>> Severity: moderate
>>
>> Description:
>>
>> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>>
>> Credit:
>>
>> Fabian Bräunlein and Lukas Euler of Positive Security
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: CVE-2021-30245: Code execution in Apache OpenOffice via
non-http(s) schemes in Hyperlinks
Posted by Dave Fisher <wa...@apache.org>.
Hi -
We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
All The Best,
Dave
[1] https://positive.security/blog/url-open-rce
> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>
> Severity: moderate
>
> Description:
>
> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>
> Credit:
>
> Fabian Bräunlein and Lukas Euler of Positive Security
>
>
Re: CVE-2021-30245: Code execution in Apache OpenOffice via
non-http(s) schemes in Hyperlinks
Posted by Dave Fisher <wa...@apache.org>.
Hi -
We are working on releasing 4.1.10 soon do to this security report [1] which was announced today.
I’d like to credit Arrigo Marchiori and Carl Marcum for development. Ariel Constenla-Haile and Peter Kovacs for our indispensible OpenGrok setup. Matthias Seidel, Marcus Lange, Jim Jagielski, and Don Lewis for builds and testing.
All The Best,
Dave
[1] https://positive.security/blog/url-open-rce
> On Apr 15, 2021, at 12:18 PM, Dave Fisher <wa...@apache.org> wrote:
>
> Severity: moderate
>
> Description:
>
> The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.
>
> Credit:
>
> Fabian Bräunlein and Lukas Euler of Positive Security
>
>