content/security/cves/CVE-2012-0037.html - openoffice-org - Git at Google

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head profile="http://www.w3.org/2005/10/profile">
   <title>CVE-2012-0037</title>
   <style type="text/css"></style>
 </head>

 <body>
   <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0037">CVE-2012-0037</a></h2>

   <h3>
   OpenOffice.org data leakage vulnerability
   </h3>

     <ul>

         <h4>Severity: Important</h4>

         <h4>Vendor: The Apache Software Foundation</h4>

         <h4>Versions Affected:</h4>
                                  <ul>
                                      <li>OpenOffice.org 3.3 and 3.4 Beta, on all platforms.</li>
                                      <li>Earlier versions may be also affected.</li>
                                  </ul>


 <h4>Description:</h4>
 <p>
 Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org.  This vulnerability exploits the way in
 which external entities are processed in certain XML components of ODF documents.  By crafting an external entity to refer to other local file system
 resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission.  Data leakage then becomes possible when that document is later distributed to other parties.</p>

         <h4>Mitigation</h4>
         <p>OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.</p>

         <ul>
             <li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip">For Windows installs</a>
 (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.md5">MD5</a>)
 (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.sha1">SHA1</a>)</li>

             <li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip">For MacOS installs</a>
 (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.md5">MD5</a>)
 (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.sha1">SHA1</a>)</li></li>
             <li>Linux and other platforms should consult their distro or OS vendor for patch instructions.</li>
         </ul>

         <p>This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.</p>


 <h4>Verifying the Integrity of Downloaded Files</h4>

 <p>
 We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files.
 <p>
 The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum.
 <p>
 The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
 <p>
 <code>
 % pgpk -a KEYS <br>
 % pgpv CVE-2012-0037-{win|mac}.zip.asc <br>
 </code>
 <em>or</em>
 <br>
 <code>
 % pgp -ka KEYS <br>
 % pgp CVE-2012-0037-{win|mac}.zip.asc <br>
 </code>
 <em>or</em>
 <br>
 <code>
 % gpg --import KEYS <br>
 % gpg --verify CVE-2012-0037-{win|mac}.zip.asc <br>
 </code>


         <h4>Source and Building</h4>
         <p>Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org
         derivatives can be found <a href="CVE-2012-0037-src.txt">here</a>.</p>

         <h4>Credit:</h4>
         <p>
          The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC.
          </p>

 	<h4>Unofficial translations:</h4>
         <ul>
 			<li><a href="https://www.openoffice.org/it/stampa/comunicati/CVE-2012-0037.html">Italian</a></li>
 			<li><a href="https://www.openoffice.org/fi/tt/CVE-2012-0037.html">Finnish</a></li>
          </ul>


   <hr />

   <p><a href="http://security.openoffice.org">Security Home</a> -&gt; <a href="http://security.openoffice.org/bulletin.html">Bulletin</a> -&gt;
   <a href="http://security.openoffice.org/security/cves/CVE-2012-0037.html">CVE-2012-0037</a></p>
 </body>
 </html>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

	<html xmlns="http://www.w3.org/1999/xhtml">
	<head profile="http://www.w3.org/2005/10/profile">
	<title>CVE-2012-0037</title>
	<style type="text/css"></style>
	</head>

	<body>
	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0037">CVE-2012-0037</a></h2>

	<h3>
	OpenOffice.org data leakage vulnerability
	</h3>

	<ul>

	<h4>Severity: Important</h4>

	<h4>Vendor: The Apache Software Foundation</h4>

	<h4>Versions Affected:</h4>
	<ul>
	<li>OpenOffice.org 3.3 and 3.4 Beta, on all platforms.</li>
	<li>Earlier versions may be also affected.</li>
	</ul>


	<h4>Description:</h4>
	<p>
	Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in
	which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system
	resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties.</p>

	<h4>Mitigation</h4>
	<p>OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.</p>

	<ul>
	<li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip">For Windows installs</a>
	(<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.md5">MD5</a>)
	(<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.sha1">SHA1</a>)</li>

	<li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip">For MacOS installs</a>
	(<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.md5">MD5</a>)
	(<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.sha1">SHA1</a>)</li></li>
	<li>Linux and other platforms should consult their distro or OS vendor for patch instructions.</li>
	</ul>

	<p>This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.</p>


	<h4>Verifying the Integrity of Downloaded Files</h4>

	<p>
	We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files.
	<p>
	The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum.
	<p>
	The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
	<p>
	<code>
	% pgpk -a KEYS <br>
	% pgpv CVE-2012-0037-{win\|mac}.zip.asc <br>
	</code>
	<em>or</em>
	<br>
	<code>
	% pgp -ka KEYS <br>
	% pgp CVE-2012-0037-{win\|mac}.zip.asc <br>
	</code>
	<em>or</em>
	<br>
	<code>
	% gpg --import KEYS <br>
	% gpg --verify CVE-2012-0037-{win\|mac}.zip.asc <br>
	</code>




	<h4>Source and Building</h4>
	<p>Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org
	derivatives can be found <a href="CVE-2012-0037-src.txt">here</a>.</p>

	<h4>Credit:</h4>
	<p>
	The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC.
	</p>

	<h4>Unofficial translations:</h4>
	<ul>
	<li><a href="https://www.openoffice.org/it/stampa/comunicati/CVE-2012-0037.html">Italian</a></li>
	<li><a href="https://www.openoffice.org/fi/tt/CVE-2012-0037.html">Finnish</a></li>
	</ul>


	<hr />

	<p><a href="http://security.openoffice.org">Security Home</a> -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a> ->
	<a href="http://security.openoffice.org/security/cves/CVE-2012-0037.html">CVE-2012-0037</a></p>
	</body>
	</html>