| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> |
| |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head profile="http://www.w3.org/2005/10/profile"> |
| <title>CVE-2012-0037</title> |
| <style type="text/css"></style> |
| </head> |
| |
| <body> |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0037">CVE-2012-0037</a></h2> |
| |
| <h3> |
| OpenOffice.org data leakage vulnerability |
| </h3> |
| |
| <ul> |
| |
| <h4>Severity: Important</h4> |
| |
| <h4>Vendor: The Apache Software Foundation</h4> |
| |
| <h4>Versions Affected:</h4> |
| <ul> |
| <li>OpenOffice.org 3.3 and 3.4 Beta, on all platforms.</li> |
| <li>Earlier versions may be also affected.</li> |
| </ul> |
| |
| |
| <h4>Description:</h4> |
| <p> |
| Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in |
| which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system |
| resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties.</p> |
| |
| <h4>Mitigation</h4> |
| <p>OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.</p> |
| |
| <ul> |
| <li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip">For Windows installs</a> |
| (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.md5">MD5</a>) |
| (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-win.zip.sha1">SHA1</a>)</li> |
| |
| <li><a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip">For MacOS installs</a> |
| (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.md5">MD5</a>) |
| (<a href="http://archive.apache.org/dist/incubator/ooo/3.3/patches/cve-2012-0037/CVE-2012-0037-mac.zip.sha1">SHA1</a>)</li></li> |
| <li>Linux and other platforms should consult their distro or OS vendor for patch instructions.</li> |
| </ul> |
| |
| <p>This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.</p> |
| |
| |
| <h4>Verifying the Integrity of Downloaded Files</h4> |
| |
| <p> |
| We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files. |
| <p> |
| The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum. |
| <p> |
| The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows: |
| <p> |
| <code> |
| % pgpk -a KEYS <br> |
| % pgpv CVE-2012-0037-{win|mac}.zip.asc <br> |
| </code> |
| <em>or</em> |
| <br> |
| <code> |
| % pgp -ka KEYS <br> |
| % pgp CVE-2012-0037-{win|mac}.zip.asc <br> |
| </code> |
| <em>or</em> |
| <br> |
| <code> |
| % gpg --import KEYS <br> |
| % gpg --verify CVE-2012-0037-{win|mac}.zip.asc <br> |
| </code> |
| |
| |
| |
| |
| <h4>Source and Building</h4> |
| <p>Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org |
| derivatives can be found <a href="CVE-2012-0037-src.txt">here</a>.</p> |
| |
| <h4>Credit:</h4> |
| <p> |
| The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC. |
| </p> |
| |
| <h4>Unofficial translations:</h4> |
| <ul> |
| <li><a href="https://www.openoffice.org/it/stampa/comunicati/CVE-2012-0037.html">Italian</a></li> |
| <li><a href="https://www.openoffice.org/fi/tt/CVE-2012-0037.html">Finnish</a></li> |
| </ul> |
| |
| |
| <hr /> |
| |
| <p><a href="http://security.openoffice.org">Security Home</a> -> <a href="http://security.openoffice.org/bulletin.html">Bulletin</a> -> |
| <a href="http://security.openoffice.org/security/cves/CVE-2012-0037.html">CVE-2012-0037</a></p> |
| </body> |
| </html> |