Gentoo Logo

OpenOffice.org: Temporary files disclosure

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200410-17 / openoffice
Release Date October 20, 2004
Latest Revision October 20, 2004: 01
Impact low
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-office/openoffice = 1.1.2 < 1.1.2, >= 1.1.3 All supported architectures
app-office/openoffice-bin = 1.1.2 < 1.1.2, >= 1.1.3 All supported architectures
app-office/openoffice-ximian = 1.1.60, = 1.1.61 < 1.1.60, >= 1.3.4 All supported architectures

Related bugreports: #63556

Synopsis

OpenOffice.org uses insecure temporary files which could allow a malicious local user to gain knowledge of sensitive information from other users' documents.

2.  Impact Information

Background

OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities.

Description

On start-up, OpenOffice.org 1.1.2 creates a temporary directory with insecure permissions. When a document is saved, a compressed copy of it can be found in that directory.

Impact

A malicious local user could obtain the temporary files and thus read documents belonging to other users.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All affected OpenOffice.org users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=app-office/openoffice-1.1.3"
# emerge ">=app-office/openoffice-1.1.3"

All affected OpenOffice.org binary users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=app-office/openoffice-bin-1.1.3"
# emerge ">=app-office/openoffice-bin-1.1.3"

All affected OpenOffice.org Ximian users should upgrade to the latest version:

Code Listing 3.3: Resolution

# emerge sync
# emerge -pv ">=app-office/openoffice-ximian-1.3.4"
# emerge ">=app-office/openoffice-1.3.4"

4.  References



Print

Page updated October 20, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.