You are here

[Fixed] Vulnerability in Apache OpenOffice 4.1.1

8 posts / 0 new
Last post
Freehunter
Offline
Last seen: 8 months 1 week ago
Joined: 2014-06-26 10:21
[Fixed] Vulnerability in Apache OpenOffice 4.1.1

Ran across a security vulnerability in Apache OpenOffice while browsing at Teleread, http://teleread.com/chris-meadows/openoffice-security-hole-prompts-recom... . A quick search here didn't find any reference to this. The subject file is still in the PAc version of AOO.

"... there is a major security hole present in OpenOffice, involving files from Hangul Word Processor, an obscure Korean word processor format. The same hole was in LibreOffice, but LibreOffice patched it on April 25. OpenOffice recommended users delete the Hangul DLL file from their installation directory, and promised to fix it in the next release…which still hasn’t come out yet."

Though those word processor files may not be widely circulated I thought it would be a good idea to give a heads-up notice for AOO users. Other references:

OpenOffice and CVE-2015-1774 [LWN.net] - https://lwn.net/Articles/650411/

CVE - CVE-2015-1774 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1774

Apache's "fix" CVE-2015-1774 - https://www.openoffice.org/security/cves/CVE-2015-1774.html
Versions Affected:
Apache OpenOffice 4.1.1 and older.
OpenOffice.org versions are also affected.

Description
"A vulnerability in OpenOffice's HWP filter allows attackers to cause a denial of service (memory corruption and application crash) or possibly execution of arbitrary code by preparing specially crafted documents in the HWP document format."

Mitigation
"Apache OpenOffice users are advised to remove the problematic library in the "program" folder of their OpenOffice installation. On Windows it is named "hwp.dll" (step-by-step instructions: open the Apache OpenOffice program folder, usually "C:\Program Files (x86)\OpenOffice 4\program"; delete or rename any files whose name starts with "hwp"), on Mac OS X it is named "libhwp.dylib" (step-by-step instructions: go to the Applications folder in Finder; right click on OpenOffice.app; click on "Show Package Contents"; then search for the file "libhwp.dylib" with Finder's search function, or look for it in the folder "Contents/MacOS"; then delete the file) and on Linux it is named "libhwp.so". Alternatively the library can be renamed to anything else e.g. "hwp_renamed.dll". This mitigation will drop support for documents created in "Hangul Word Processor" versions from 1997 or older. Users of such documents are advised to convert their documents to other document formats such as OpenDocument before doing so."

Leave it up to John to decide if he wants to put a notice in the LibreOffice forum to warn anyone still using versions prior to 4.3.7 to upgrade.

John T. Haller
John T. Haller's picture
Offline
Last seen: 3 hours 39 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Patch

As Apache OpenOffice is basically abandoned and probably won't be releasing a new version to fix this anytime soon, I'm going to push out a patched version of Apache OpenOffice Portable 4.1.1 with this filter removed. I'll push it out as a 1MB patch file to platform users and post a repacked version called 4.1.1.SecFix1 as a new release.

There's no need to post anything about LibreOffice. Anyone using an older version is always assumed to be vulnerable to multiple security issues anyway.

Sometimes, the impossible can become possible, if you're awesome!

John T. Haller
John T. Haller's picture
Offline
Last seen: 3 hours 39 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Fixed in Apache OpenOffice Portable 4.1.1 SecFix 1

This is fixed in today's release of Apache OpenOffice Portable 4.1.1 SecFix 1: https://portableapps.com/news/2015-09-23--apache-openoffice-portable-sti...

Local users will still need to manually apply the fix.

Sometimes, the impossible can become possible, if you're awesome!

ZehHa
Offline
Last seen: 6 years 4 months ago
Joined: 2013-07-12 05:34
Apache OpenOffice Portable 4.1.1 SecFix 1 - Localization Issue

Hello John,

Due to other issues, I had to remove and re-install AOO Portable. I used the new Apache OpenOffice Portable 4.1.1 SecFix 1 installation file. I had to realize afterwards that I cannot localize the UI language. In "Tools -> Options -> Language Settings -> Languages -> Language of User interface", I can chose "German (Germany)", but this option has no effect. After AOO restart, it still shows "English (USA)".

Thanks for any help.

Carsten

PS: After searching the forum, I found the language issue from 4/2015. Maybe the same missing localization files are missing again in the SecFix 1 version?

PPS: Announcement from Apache OpenOffice - SUNDAY SEP 27, 2015 Coming soon... Apache OpenOffice 4.1.2. Doesn't sound like "Apache OpenOffice is basically abandoned", does it?

John T. Haller
John T. Haller's picture
Offline
Last seen: 3 hours 39 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Language Switching

If you run it on its own, I can set it to German without issue. If you run it from the PA.c Platform, you need to turn off language switching as it's currently broken and will reset to English.

The reason for the "coming soon" announcement is that Apache has left a code execution bug from a document issue go unpatched for 6 months and most folks have criticized that behavior as irresponsible. This behavior has lead many to believe that Apache OpenOffice no longer has the resources to push out bug fixes any longer. To counteract that, they released this message. I'm unsure how much a message will counteract the negative perception, though, as the bug is still unpatched and the only ETA is "late 2015".

Sometimes, the impossible can become possible, if you're awesome!

ZehHa
Offline
Last seen: 6 years 4 months ago
Joined: 2013-07-12 05:34
Language switching

Hello John!

You wrote:
> If you run it on its own, I can set it to German without issue.

Yes, thank you. I created a new desktop application link to the EXE-file for easier access. That works.

> If you run it from the PA.c Platform, you need to turn off language switching as it's currently broken and will reset to English.

Any chance to get that fixed?

John T. Haller
John T. Haller's picture
Offline
Last seen: 3 hours 39 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Removed Switching

To be on the safe side, I removed automatic language switched from the 4.1.2 Patch 1 release.

Sometimes, the impossible can become possible, if you're awesome!

ASJ
Offline
Last seen: 1 month 1 week ago
Joined: 2008-10-21 18:00
Error on download

There is an error when trying to update through PA updater. Something about it being "not valid ?". Just thought I'd let you know.

Don't be a pin-head!

Log in or register to post comments