| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> |
| |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head profile="http://www.w3.org/2005/10/profile"> |
| <title> CVE-2013-1571</title> |
| <style type="text/css"></style> |
| </head> |
| |
| <body> |
| <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571">CVE-2013-1571</a></h2> |
| |
| <h3> |
| Frame Injection Vulnerability in SDK JavaDoc |
| </h3> |
| |
| <ul> |
| |
| <h4>Severity: Medium</h4> |
| |
| <h4>Vendor: The Apache Software Foundation</h4> |
| |
| <h4>Versions Affected:</h4> |
| <ul> |
| <li>Apache OpenOffice 3.4.1 SDK, on all platforms.</li> |
| <li>Earlier versions may be also affected.</li> |
| </ul> |
| |
| |
| <h4>Description:</h4> |
| <p> |
| As reported on June 18th there is a <a href="http://www.kb.cert.org/vuls/id/225657">vulnerability in JavaDoc</a> generated by Java 5, Java 6 and Java 7 before update 22. Generated |
| JavaDoc files could be suceptible to HTML frame injection attacks. Our investigation indicated that the UDK 3.2.7 Java API Reference in the Apache OpenOffice SDK contains |
| a vulnerable HTML file.</p> |
| |
| <p>Note: Ordinary installs of OpenOffice are not impacted by this vulnerability. Only installs of the OpenOffice SDK, typically only installed by software developers writing |
| extensions, are impacted</p> |
| |
| <h4>Mitigation</h4> |
| <p>SDK users should update their installations by replacing /docs/java/ref/index.html with this |
| <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip">patched version</a>. |
| Download, unzip and follow the instructions in the enclosed README file.</p> |
| |
| <p>Users with earlier versions of the SDK (pre 3.4.1) should <a href="http://www.download.openoffice.org/download/other.html#tested-sdk">upgrade to the current version</a> and then apply the patch. Alternative, they can download and run |
| Oracle's <a href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html">Java API Documentation Updater Tool</a> to repair |
| the vulnerabilities in place.</p> |
| |
| |
| <h4>Verifying the Integrity of Downloaded Files</h4> |
| |
| <p> |
| We have provided <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5">MD5</a> and <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256">SHA256</a> hashes of these patches, |
| as well as a <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc">GPG/PGP detached digital signature</a>, for those who wish to verify the |
| integrity of this file. |
| <p> |
| The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or sha256sum. |
| <p> |
| The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows: |
| <p> |
| <code> |
| % pgpk -a KEYS <br> |
| % pgpv cve-2013-1571.zip.asc <br> |
| </code> |
| <em>or</em> |
| <br> |
| <code> |
| % pgp -ka KEYS <br> |
| % pgp cve-2013-1571.zip.asc <br> |
| </code> |
| <em>or</em> |
| <br> |
| <code> |
| % gpg --import KEYS <br> |
| % gpg --verify cve-2013-1571.zip.asc <br> |
| </code> |
| |
| |
| |
| <hr /> |
| |
| <p><a href="http://security.openoffice.org">Security Home</a> -> <a href="http://security.openoffice.org/security/bulletin.html">Bulletin</a> -> |
| <a href="http://security.openoffice.org/security/cves/CVE-2013-1571.html">CVE-2013-1571</a></p> |
| </body> |
| </html> |