content/security/cves/CVE-2013-1571.html - openoffice-org - Git at Google

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

 <html xmlns="http://www.w3.org/1999/xhtml">
 <head profile="http://www.w3.org/2005/10/profile">
   <title> CVE-2013-1571</title>
   <style type="text/css"></style>
 </head>

 <body>
   <h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571">CVE-2013-1571</a></h2>

   <h3>
   Frame Injection Vulnerability in SDK JavaDoc
   </h3>

     <ul>

         <h4>Severity: Medium</h4>

         <h4>Vendor: The Apache Software Foundation</h4>

         <h4>Versions Affected:</h4>
                                  <ul>
                                      <li>Apache OpenOffice 3.4.1 SDK, on all platforms.</li>
                                      <li>Earlier versions may be also affected.</li>
                                  </ul>


 <h4>Description:</h4>
 <p>
 As reported on June 18th there is a <a href="http://www.kb.cert.org/vuls/id/225657">vulnerability in JavaDoc</a> generated by Java 5, Java 6 and Java 7 before update 22.  Generated
         JavaDoc files could be suceptible to HTML frame injection attacks. Our investigation indicated that the UDK 3.2.7 Java API Reference in the Apache OpenOffice SDK contains
         a vulnerable HTML file.</p>

 <p>Note:  Ordinary installs of OpenOffice are not impacted by this vulnerability.  Only installs of the OpenOffice SDK, typically only installed by software developers writing
         extensions, are impacted</p>

         <h4>Mitigation</h4>
         <p>SDK users should update their installations by replacing /docs/java/ref/index.html with this
         <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip">patched version</a>.
         Download, unzip and follow the  instructions in the enclosed README file.</p>

         <p>Users with earlier versions of the SDK (pre 3.4.1) should <a href="http://www.download.openoffice.org/download/other.html#tested-sdk">upgrade to the current version</a> and then apply the patch.  Alternative, they can download and run
         Oracle's <a href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html">Java API Documentation Updater Tool</a> to repair
         the vulnerabilities in place.</p>


 <h4>Verifying the Integrity of Downloaded Files</h4>

 <p>
 We have provided <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5">MD5</a> and <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256">SHA256</a> hashes of these patches,
         as well as a <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc">GPG/PGP detached digital signature</a>, for those who wish to verify the
         integrity of this file.
 <p>
 The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or sha256sum.
 <p>
 The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
 <p>
 <code>
 % pgpk -a KEYS <br>
 % pgpv cve-2013-1571.zip.asc <br>
 </code>
 <em>or</em>
 <br>
 <code>
 % pgp -ka KEYS <br>
 % pgp cve-2013-1571.zip.asc <br>
 </code>
 <em>or</em>
 <br>
 <code>
 % gpg --import KEYS <br>
 % gpg --verify cve-2013-1571.zip.asc <br>
 </code>


   <hr />

   <p><a href="http://security.openoffice.org">Security Home</a> -&gt; <a href="http://security.openoffice.org/security/bulletin.html">Bulletin</a> -&gt;
   <a href="http://security.openoffice.org/security/cves/CVE-2013-1571.html">CVE-2013-1571</a></p>
 </body>
 </html>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

	<html xmlns="http://www.w3.org/1999/xhtml">
	<head profile="http://www.w3.org/2005/10/profile">
	<title> CVE-2013-1571</title>
	<style type="text/css"></style>
	</head>

	<body>
	<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1571">CVE-2013-1571</a></h2>

	<h3>
	Frame Injection Vulnerability in SDK JavaDoc
	</h3>

	<ul>

	<h4>Severity: Medium</h4>

	<h4>Vendor: The Apache Software Foundation</h4>

	<h4>Versions Affected:</h4>
	<ul>
	<li>Apache OpenOffice 3.4.1 SDK, on all platforms.</li>
	<li>Earlier versions may be also affected.</li>
	</ul>


	<h4>Description:</h4>
	<p>
	As reported on June 18th there is a <a href="http://www.kb.cert.org/vuls/id/225657">vulnerability in JavaDoc</a> generated by Java 5, Java 6 and Java 7 before update 22. Generated
	JavaDoc files could be suceptible to HTML frame injection attacks. Our investigation indicated that the UDK 3.2.7 Java API Reference in the Apache OpenOffice SDK contains
	a vulnerable HTML file.</p>

	<p>Note: Ordinary installs of OpenOffice are not impacted by this vulnerability. Only installs of the OpenOffice SDK, typically only installed by software developers writing
	extensions, are impacted</p>

	<h4>Mitigation</h4>
	<p>SDK users should update their installations by replacing /docs/java/ref/index.html with this
	<a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip">patched version</a>.
	Download, unzip and follow the instructions in the enclosed README file.</p>

	<p>Users with earlier versions of the SDK (pre 3.4.1) should <a href="http://www.download.openoffice.org/download/other.html#tested-sdk">upgrade to the current version</a> and then apply the patch. Alternative, they can download and run
	Oracle's <a href="http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html">Java API Documentation Updater Tool</a> to repair
	the vulnerabilities in place.</p>


	<h4>Verifying the Integrity of Downloaded Files</h4>

	<p>
	We have provided <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.md5">MD5</a> and <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.sha256">SHA256</a> hashes of these patches,
	as well as a <a href="http://archive.apache.org/dist/incubator/ooo/3.4.1/source/cve-2013-1571.zip.asc">GPG/PGP detached digital signature</a>, for those who wish to verify the
	integrity of this file.
	<p>
	The MD5 and SHA256 hashes can be verified using Unix tools like md5sum or sha256sum.
	<p>
	The PGP signatures can be verified using PGP or GPG. First download the <a href="https://downloads.apache.org/openoffice/KEYS">KEYS</a> file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
	<p>
	<code>
	% pgpk -a KEYS <br>
	% pgpv cve-2013-1571.zip.asc <br>
	</code>
	<em>or</em>
	<br>
	<code>
	% pgp -ka KEYS <br>
	% pgp cve-2013-1571.zip.asc <br>
	</code>
	<em>or</em>
	<br>
	<code>
	% gpg --import KEYS <br>
	% gpg --verify cve-2013-1571.zip.asc <br>
	</code>



	<hr />

	<p><a href="http://security.openoffice.org">Security Home</a> -> <a href="http://security.openoffice.org/security/bulletin.html">Bulletin</a> ->
	<a href="http://security.openoffice.org/security/cves/CVE-2013-1571.html">CVE-2013-1571</a></p>
	</body>
	</html>