Ran across a security vulnerability in Apache OpenOffice while browsing at Teleread, http://teleread.com/chris-meadows/openoffice-security-hole-prompts-recom... . A quick search here didn't find any reference to this. The subject file is still in the PAc version of AOO.
"... there is a major security hole present in OpenOffice, involving files from Hangul Word Processor, an obscure Korean word processor format. The same hole was in LibreOffice, but LibreOffice patched it on April 25. OpenOffice recommended users delete the Hangul DLL file from their installation directory, and promised to fix it in the next release…which still hasn’t come out yet."
Though those word processor files may not be widely circulated I thought it would be a good idea to give a heads-up notice for AOO users. Other references:
OpenOffice and CVE-2015-1774 [LWN.net] - https://lwn.net/Articles/650411/
CVE - CVE-2015-1774 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774
Apache's "fix" CVE-2015-1774 - https://www.openoffice.org/security/cves/CVE-2015-1774.html
Versions Affected:
Apache OpenOffice 4.1.1 and older.
OpenOffice.org versions are also affected.
Description
"A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format."
Mitigation
"Apache OpenOffice users are advised to remove the problematic library in the "program" folder of their OpenOffice installation. On Windows it is named "hwp.dll" (step-by-step instructions: open the Apache OpenOffice program folder, usually "C:\Program Files (x86)\OpenOffice 4\program"; delete or rename any files whose name starts with "hwp"), on Mac OS X it is named "libhwp.dylib" (step-by-step instructions: go to the Applications folder in Finder; right click on OpenOffice.app; click on "Show Package Contents"; then search for the file "libhwp.dylib" with Finder's search function, or look for it in the folder "Contents/MacOS"; then delete the file) and on Linux it is named "libhwp.so". Alternatively the library can be renamed to anything else e.g. "hwp_renamed.dll". This mitigation will drop support for documents created in "Hangul Word Processor" versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so."
Leave it up to John to decide if he wants to put a notice in the LibreOffice forum to warn anyone still using versions prior to 4.3.7 to upgrade.