Re: [DISCUSS] Future of the Hangul Word Processor, HWP, filter

2015-04-29 Thread Andrea Pescetti 

On 28/04/2015 Marcus wrote:

Am 04/28/2015 06:12 PM, schrieb Kay Schenk:

As we plan for the 4.1.2 release, should we give some thought to the
importance of the HWP filter, Hangul Word Processor

But Jeongkyu Kim on the L10n@ mailing list wrote that it is no longer
relevant. So, maybe time to delete it from AOO when it is now
problematic and fixing doesn't pay off.


This is the relevant thread
http://markmail.org/message/q3ujdipaz32u2dbd

The only reasonable solution indeed seems to remove the filter. I opened 
a 4.1.2 issue at

https://bz.apache.org/ooo/show_bug.cgi?id=126281
(note: I didn't set the "security" keyword or the "4.1.2 release 
blocker" tag since this would make the workflow more complex).


Of course, the issue can be rediscussed if someone brings good arguments 
for keeping the filter, but nobody on the dev or l10n list did it so far.


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: mingw32 for building the ODK under Linux?

2015-04-29 Thread Andrea Pescetti 

On 29/04/2015 Kay Schenk wrote:

  put it into external/unowinreg using your browser or a command
equivalent to:
  wget -O external/unowinreg/unowinreg.dll
http://www.openoffice.org/tools/unowinreg_prebuild/680/unowinreg.dll
Is this really needed for Linux builds of the ODK?


I wrote (actually updated) this error message. You can find all details 
at (issue from 2005)

https://bz.apache.org/ooo/show_bug.cgi?id=49718

As Juergen says there, "unowinreg.dll is packed into the SDK on all
platforms and for that reason it necessary to have the library in place".

Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Reporting broken download link

2015-04-29 Thread FR web forum 
>The server at 10.5.101.1 is taking too long to respond.
This @ IP is in a private network.
That meaning that it is not allocated to any specific organization and cannot 
be transmitted through the public Internet.


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread Simon Phipps 
Given this problem is not fixed in the current download, should the project
suspend downloads until it can be addressed? Few of the people downloading
the package will be aware of this CVE or of the necessary mitigation
post-install.

S.


On Sat, Apr 25, 2015 at 8:13 PM, Herbert Duerr  wrote:

> CVE-2015-1774
>
> OpenOffice HWP Filter Remote Code Execution and Denial of Service
> Vulnerability
>
> A vulnerability in OpenOffice's HWP filter allows attackers to cause a
> denial of service (memory corruption and application crash) or possibly
> execution of arbitrary code by preparing specially crafted documents in
> the HWP document format.
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
> All Apache OpenOffice versions 4.1.1 and older are affected.
>
> Mitigation:
>
> Apache OpenOffice users are advised to remove the problematic library in
> the "program" folder of their OpenOffice installation. On Windows it is
> named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
> named "libhwp.so". Alternatively the library can be renamed to anything
> else e.g. "hwp_renamed.dll".
> This mitigation will drop AOO's support for documents created in "Hangul
> Word Processor" versions from 1997 or older. Users of such documents are
> advised to convert their documents to other document formats such as
> OpenDocument before doing so.
>
> Apache OpenOffice aims to fix the vulnerability in version 4.1.2.
>
> Credits:
>
> Thanks to an anonymous contributor working with VeriSign iDefense Labs.
>
>
>


-- 
*Simon Phipps*  http://webmink.com
*Office:* +1 (415) 683-7660 *or* +44 (238) 098 7027
*Mobile*:  +44 774 776 2816 *or Telegram *

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread Andrea Pescetti 

Simon Phipps wrote:

Given this problem is not fixed in the current download, should the project
suspend downloads until it can be addressed?


This looks like a very extreme measure to take. The severity of the 
issue would not justify it. As far as I know, there are no known 
exploits and we are talking about a file format that is obsolete by all 
means.


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread Simon Phipps 
On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti 
wrote:

> Simon Phipps wrote:
>
>> Given this problem is not fixed in the current download, should the
>> project
>> suspend downloads until it can be addressed?
>>
>
> This looks like a very extreme measure to take. The severity of the issue
> would not justify it.


Can you explain that please? The CVE says "Severity: Important" and the
effects are "a denial of service or possibly execution of arbitrary code by
preparing specially crafted documents in the HWP document format."

The fact we are unaware of current exploits does not mitigate the risk
arising from distributing the software, and the rarity of the file format
does not reduce the likelihood of it being used in an exploit. Maybe I am
missing some of the context from the private security list?

Thanks,

S.

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread jan i 
On 29 April 2015 at 15:07, Simon Phipps  wrote:

> On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti 
> wrote:
>
> > Simon Phipps wrote:
> >
> >> Given this problem is not fixed in the current download, should the
> >> project
> >> suspend downloads until it can be addressed?
> >>
> >
> > This looks like a very extreme measure to take. The severity of the issue
> > would not justify it.
>
>
> Can you explain that please? The CVE says "Severity: Important" and the
> effects are "a denial of service or possibly execution of arbitrary code by
> preparing specially crafted documents in the HWP document format."
>
> The fact we are unaware of current exploits does not mitigate the risk
> arising from distributing the software, and the rarity of the file format
> does not reduce the likelihood of it being used in an exploit. Maybe I am
> missing some of the context from the private security list?
>
It seems to be an extremely seldom used feature, that makes the exploit
unlikely.

I am with Andrea, stopping downloads would not be right in this case.

rgds
jan I.


>
> Thanks,
>
> S.
>

Re: mingw32 for building the ODK under Linux?

2015-04-29 Thread Kay Schenk 
On Wed, Apr 29, 2015 at 12:44 AM, Andrea Pescetti 
wrote:

> On 29/04/2015 Kay Schenk wrote:
>
>>   put it into external/unowinreg using your browser or a command
>> equivalent to:
>>   wget -O external/unowinreg/unowinreg.dll
>> http://www.openoffice.org/tools/unowinreg_prebuild/680/unowinreg.dll
>> Is this really needed for Linux builds of the ODK?
>>
>
> I wrote (actually updated) this error message. You can find all details at
> (issue from 2005)
> https://bz.apache.org/ooo/show_bug.cgi?id=49718
>
> As Juergen says there, "unowinreg.dll is packed into the SDK on all
> platforms and for that reason it necessary to have the library in place".
>
> Regards,
>   Andrea.
>

Thanks. I had a feeling  this had come up before but I couldn't track it
down.

I will get the library I need and update the build instructions.



-- 
-
MzK

“What is the point of being alive if you don't
 at least  try to do something remarkable?”
   -- John Green, "An Abundance of Katherines"

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread Marcus 

Am 04/29/2015 05:39 PM, schrieb jan i:

On 29 April 2015 at 15:07, Simon Phipps  wrote:


On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti
wrote:


Simon Phipps wrote:


Given this problem is not fixed in the current download, should the
project
suspend downloads until it can be addressed?



This looks like a very extreme measure to take. The severity of the issue
would not justify it.



Can you explain that please? The CVE says "Severity: Important" and the
effects are "a denial of service or possibly execution of arbitrary code by
preparing specially crafted documents in the HWP document format."

The fact we are unaware of current exploits does not mitigate the risk
arising from distributing the software, and the rarity of the file format
does not reduce the likelihood of it being used in an exploit. Maybe I am
missing some of the context from the private security list?


It seems to be an extremely seldom used feature, that makes the exploit
unlikely.

I am with Andrea, stopping downloads would not be right in this case.


+1 I also don't see this as a reason to stop to offer downloads.

Marcus


-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: [DISCUSS] #2 Organization around Capacity/Accountability

2015-04-29 Thread Andrea Pescetti 

On 17/03/2015 Dennis E. Hamilton wrote:

The #2 from the list seems critical to everything else.
2) Internal reorganization: people say what they are going to
   do to drive the project forward (so an "active" approach
   rather than the "I don't have time, but someone should..."
   approach which is not working). ...
I mean that we provide an account for ourselves and our what we are working on, 
and do not go invisible.


Sorry Dennis for keeping you waiting this long... Well, as that guy 
said, "I can give you my complete assurance that my work will be back to 
normal; I've still got the greatest enthusiasm and confidence in the 
mission".


Seriously, I see myself helping with localization related tasks in the 
future, since we have a good and active community there but a need to 
streamline some processes. That said, I also recognize the importance of 
releasing a new version of OpenOffice as soon as possible, so my primary 
focus in the next weeks will be, as time allows, on helping with shaping 
OpenOffice 4.1.2.


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread jonathon 
On 29/04/15 13:00, Andrea Pescetti wrote:
> issue would not justify it. As far as I know, there are no known
> exploits and we are talking about a file format that is obsolete by all

Is this vulnerability exploited only by opening a file in HWP format, or
can it be exploited by any file?


jonathon




signature.asc
Description: OpenPGP digital signature

Re: CVE-2015-1774: OpenOffice HWP Filter Remote Execution and DoS Vulnerability

2015-04-29 Thread Jürgen Schmidt 
On 29/04/15 21:53, Marcus wrote:
> Am 04/29/2015 05:39 PM, schrieb jan i:
>> On 29 April 2015 at 15:07, Simon Phipps  wrote:
>>
>>> On Wed, Apr 29, 2015 at 2:00 PM, Andrea Pescetti
>>> wrote:
>>>
 Simon Phipps wrote:

> Given this problem is not fixed in the current download, should the
> project
> suspend downloads until it can be addressed?
>

 This looks like a very extreme measure to take. The severity of the
 issue
 would not justify it.
>>>
>>>
>>> Can you explain that please? The CVE says "Severity: Important" and the
>>> effects are "a denial of service or possibly execution of arbitrary
>>> code by
>>> preparing specially crafted documents in the HWP document format."
>>>
>>> The fact we are unaware of current exploits does not mitigate the risk
>>> arising from distributing the software, and the rarity of the file
>>> format
>>> does not reduce the likelihood of it being used in an exploit. Maybe
>>> I am
>>> missing some of the context from the private security list?
>>>
>> It seems to be an extremely seldom used feature, that makes the exploit
>> unlikely.
>>
>> I am with Andrea, stopping downloads would not be right in this case.
> 
> +1 I also don't see this as a reason to stop to offer downloads.

stopping the downloads is completely exaggerated. I personally never
have seen such a file besides test documents in real life. We have a
simple and effective work around in place. Even Korean community members
on our l10n list have mentioned that the format is no longer relevant.

And of course we have analyzed the exploit and have decided to either
fix it for the next release or as currently discussed to drop it
completely to get away a further obsolete format.

Why I don't wonder from whom this idea is coming ;-) And Simon to be
serious we take security issues very serious. So for every one who want
to write something about security in AOO, security issues were and still
are a serious and important topic for AOO and we analyze and decide what
to do for every single security issue.

Juergen

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org