OOo 3.0 - 3.3 (ODF 1.2) Security patch

[kingfisher]

I apologise if this has already been published here. A search did not turn it up.

A security patch has been made available for Windows and Mac versions of the software. The thread on the users' list begins with this message which does not render well in my browser at least, so I quote it here:

Please note, this is the official security bulletin, targeted for
security professionals. If you are an OpenOffice.org 3.3 user, and
are able to apply the mentioned patch, then you are encouraged to do
so. If someone else supports or manages your desktop, then please
forward this information to them.

Additional support is available on our Community Forums:

http://user.services.openoffice.org/

And via our ooo-users mailing list:

http://incubator.apache.org/openofficeo ... iling-list

Note: This security patch for OpenOffice.org is made available to
legacy OpenOffice.org users as a service by the Apache OpenOffice
Project Management Committee. The patch is made available under the
Apache License, and due to its importance, we are releasing it outside
of the standard release cycle.

-Rob

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-0037: OpenOffice.org data leakage vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description: An XML External Entity (XXE) attack is possible in the
above versions of OpenOffice.org. This vulnerability exploits the way
in which external entities are processed in certain XML components of ODF
documents. By crafting an external entity to refer to other local
file system resources, an attacker would be able to inject contents of other
locally- accessible files into the ODF document, without the user's
knowledge or permission. Data leakage then becomes possible when that
document is later distributed to other parties.

Mitigation: OpenOffice.org 3.3.0 and 3.4 beta users should install the
patch at: http://www.openoffice.org/security/cves ... -0037.html

This vulnerability is also fixed in Apache OpenOffice 3.4 dev
snapshots since March 1st, 2012.

Source and Building: Information on obtaining the source code for this
patch, and for porting it or adapting it to OpenOffice.org derivatives
can be found here: http://www.openoffice.org/security/cves ... 37-src.txt

Credit: The Apache OpenOffice project acknowledges and thanks the
discoverer of this issue, Timothy D. Morgan of Virtual Security
Research, LLC.

References: http://security.openoffice.org

[Hagar Delest]

And here is a detailed analysis of the impact from Dennis E. Hamilton on March, 23rd (my emphasis for better readability):

Here is my personal assessment around the CVE-2012-003 that was announced concurrent with a patch release for OpenOffice 3.3.0 today.

First, the vulnerability is related to use of ODF 1.2 document format in a manner that causes information from the user's computer to be covertly accessed and captured inside the document when it is saved. (If it is not saved, there is no harm. If it is saved as ODF 1.0/1.1, there might also be no harm, although this case requires some testing to confirm.)

As was reported, it is relatively easy to craft an ODF 1.2 document that can exercise the exploit when opened by a vulnerable application.

THE EXTENT OF THE VULNERABILITY

LibreOffice reported CVE-2012-0037 today concurrent with the agreed lifting of the embargo.

My understanding is that later (since January) LO 3.4.x releases have the fix as do the LO 3.5.x releases and release candidates. Consult the LibreOffice.org site and blog for details.

All LibreOffice releases preceding those identified as repaired remain vulnerable.

The patched versions of OO.o 3.3.0 and Oracle OO.o-dev 3.4, are free of the vulnerability. The latest (since March 1) Apache OpenOffice developer previews are free of the vulnerability.

All previous OpenOffice.org releases back to OO.o 3.0 presumably have the vulnerability (since that was the start of claimed ODF 1.2 support). Any unpatched recent versions will continue to have the vulnerability until patched or replaced, of course.

OTHER RELEASES/PRODUCTS THAT DO NOT HAVE THE VULNERABILITY

Pre-3.0 versions of OO.o should not have the vulnerability.

Lotus Symphony has never had the vulnerability.

Microsoft Office 2007/2010 ODF support does not have the vulnerability. Microsoft Office converters from ODF to Office (as used with Office 2003, for example) do not have the vulnerability.

I suspect that documents containing the exploit can't pass through Google Docs, but I haven't tested it. I doubt that they are vulnerable though.

Some other supporters of ODF format have indicated that their products do not support the feature of ODF 1.2 format that is the carrier of the exploit. The suppliers of such products should be consulted directly for confirmation.

DOCUMENTS NOT HAVING THE EXPLOIT

Documents saved as ODF 1.0/1.1 should not preserve any exploit. That is a way to scrub suspicious documents and templates so long as any loss of fidelity is tolerable when going down-level and back.

Documents saved as .doc, .rtf, .docx, .xls, .xlsx, .ppt, .pptx, etc., and then brought back from those formats should not contain any exploit. This only works if any loss of fidelity is tolerable of course. Note that it is not necessary to have Microsoft Office. Using the converters that are part of OpenOffice.org, Apache OpenOffice, and LibreOffice is sufficient.

Saved HMTL documents will, likewise, be stripped of any exploit. Saved PDF documents will also be exploit-free so long as the form of PDF that preserves the original ODF document as an "attachment" is not used.

WHO IS VULNERABLE AND WHAT TO DO IF YOU THINK YOU ARE

The exploit requires that you open and use a document or template from an unreliable or unknown source (or that someone you do trust has managed to do this and sent the result to you). The captured material is no use if the resulting saved document is not returned to someone who knows to look for it. In some forms of the exploit, once information is captured, there are no further captures. However, the captured content can be passed on through subsequent revisions and recipients. That is, there may be perpetuation of covertly-captured residue.

Fortunately, the exploit involves a feature that is not required for the correct processing of most ODF documents (which is also why success of the exploit is easily unnoticed). So extinguishing the feature from a document, while heavy handed, rarely does any harm.

If you have any doubt concerning ODF documents in your possession, you can exercise some of the remedies in the previous section, involving saving the document in different formats and then re-opening it form those formats.

If you are unable to patch your system or want to ensure that documents you already have do not carry any exploit, you can also clean up the ODF package using a Zip utility. It is also possible to produce a utility that can automatically scrub most ODF packages of any potentially-suspect content.

- Dennis

Note that a patch seems to be under progress for GNU/Linux users, especially those who have installed the vanilla version (downloaded from the OOo website).

[floris v]

Never saw that. How come I missed this? I'll post about it in the Dutch forum though. Should this be broadcast as an important issue or is it safe in the general Discussions forum?

[Hagar Delest]

You're right, I've made it global.

[Talvi]

...as the Update feature doesn't work (at present) I assume that the easiest remedy is to: uninstall, clean traces, and reinstall - with latest version - is this right? If so from where do you recommend getting the appropriately patched version from?

How do I know if I am saving files to ODF 1.0/1.1 format? The save dialogue only shows "ODF Spreadsheet" for instance, with an alternative to save as "Spreadsheet 1.0" for instance.

If I know I have ODF 1.0/1.1 files on my machine how can I "scrub" them simply?

[Hagar Delest]

No, read the post, all 3.x versions are affected. Installing the latest version won't help.
The link to the page for the patch is given in the first post.

ODF version is mentioned in Tools>Options>Load Save>General.
ODF 1.0 and 1.1 are not affected.

[Talvi]

Thanks Hagar but ....
1. I had read the post thanks (see 2, 3 and 4 below).
2. My "version" is given as 3.3.0 000330m20 (Build 9567). "Versions" referred to in the post and comments are designated in the form x.x.x so the relevance of the later alphanumeric data is unclear. e.g. it would be inconceivable for a ver 3.3.9 000330m48 to contain the patch.
3. If applying the "patch" is easy/vital I assumed it would be available in the form of a "standard" download that would auto-install/auto-patch. (see 4 below) As a user it is irrelevant to me whether such a download is a full version of OOo or a "patch".
4. I found when I followed the links that (in FF) they only result in some text being displayed: "b7fa39b764e8a0d083d6be8398075147 *CVE-2012-0037-win.zip" That's it. No download. I didn't include this info with my original post as I assumed you folk would already know this.

Thanks for the link to the default saving option. It recommends saving as 1.2(extended) however I remain unclear if this should be changed, or whether files already saved need to be "scrubbed" which I assume means cleaned and not erased.

[Hagar Delest]

Sadly, there is no .exe delivered, so you've to open the zip file and apply the fix yourself. I agree, this is not user friendly.
ODF 1.2 is recommended because it's the latest version so the most up to date. But it's also the version that has the problem.

Personally, I don't send files to anyone so I haven't applied the patch. I'm waiting for AOO 3.4 (already using it at home with the dev version and it is already secure).

[PGAGA]

April 2, 2012

[Apologies to those who read this in an incomplete form - I hit the wrong key and posted early.]

2. My "version" is given as 3.3.0 000330m20 (Build 9567). "Versions" referred to in the post and comments are designated in the form x.x.x so the relevance of the later alphanumeric data is unclear. e.g. it would be inconceivable for a ver 3.3.9 000330m48 to contain the patch.

The x.x.x is what is relevant. Since this is a 2012 security announcement, it is not in any builds prior to the 3.4 release schedules in 2012.

Note this is not just a OOo issue, but applies to all programs using the ODF format.

3. If applying the "patch" is easy/vital I assumed it would be available in the form of a "standard" download that would auto-install/auto-patch. (see 4 below) As a user it is irrelevant to me whether such a download is a full version of OOo or a "patch".

Unfortunately, OOo is product which is no longer supported, so neither a full version nor a patch executable will be available unless someone such as myself were to build one (and I am rusty). Incremental patching was part of the commercial support version of OOo, Oracle Open Office, but I do not know if that was included in the code released to Apache.

But single file patching is simple. Hopefully I will turn what follows into a better FAQ.

Download and install muCommander. Once you have it running (and since you are using Win7, you may have to run as administrator), in the left pane, navigate to where your OOo is installed, something like:

C:\Program Files\OpenOffice.org 3\program\

In the right pane go to the folder where you downloaded the ZIP file (direct link below). Click on it to open it.

Now you will see four files on the right. I would suggest renaming unordfmi.dll on the left to unordfmi.dll.bak, then copy unordfmi.dll on the right to the program folder on the left.

4. I found when I followed the links that (in FF) they only result in some text being displayed: "b7fa39b764e8a0d083d6be8398075147 *CVE-2012-0037-win.zip" That's it. No download. I didn't include this info with my original post as I assumed you folk would already know this.

This is the direct link:

http://www.apache.org/dyn/closer.cgi/in ... 37-win.zip

Phil

[ScooterC]

First - I was surprised to find that the community forum was still here!

I joined (subscribed) to the new Apache List server (ooo-users@incubator.apache.org) because I thought this forum had been closed and there was no mention of it in any of the emails I read.

Non-subscribers who need help and hand holding should be directed to this community Forum. Where questions & Answers are available to the general public.
One very unhappy gentleman (computer illiterate) ranted something fierce, subject title "I HATE THIS PROGRAM", in regards to Open Office and this Patch. A discussion ensued in regards to the fact that he was not subscribed to the LIST and therefore would not receive the proper instructions to install this patch.
I have since deleted the entire discussion and can't redirect this gentleman. Rob Weir is the List Host, perhaps the in-the-know people could notify him of the situation.

Thanks & Take Care,
Scooter
College Park, MD USA

[floris v]

I saw part of that discussion (you can view it in the archives at markmail) and was struck by the tone of some of the comments. Apart from the topic title the original post was fairly matter of fact and not so bad-mouthed at all - we've seen worse here. Yet some of the regulars, who tend at times to flame the hell out of each other, reacted as if something really bad had been said.

[RoryOF]

An interesting shift is occurring in the Apache OpenOffice world. You may remember that when the migration of this Forum from Oracle to Apache servers was first mooted, the idea was not warmly accepted. Great opposition was expressed by some to the use of a Forum for User support - they thought all this should be done using mailing lists. But now that there are increasing support requests on the mailing lists, in addition to their normal traffic, thinking seems to be moving in favour of the Forum as a support service. We did try to tell them

[Talvi]

Thanks Holgar. Amazing Phil !! Thanks

ODF 1.2 is .. the version that has the problem.

So does the "scrubbing" ref means open/save in any (?) earlier file types?

I'm waiting for AOO 3.4

Unfortunately, OOo is product which is no longer supported

Ohhh nooooo! AOO = Apache Open Office? Having just been burned by connecting to the people at Nokia I am worried about my future with OO. Is there one? And is there a simple helicopter summary of what's occuring?

Since this is a 2012 security announcement, it is not in any builds prior to the 3.4 release schedules in 2012.

If it's not in any build prior to 3.4 then as mine is 3.3 ... I'm confused. Is that a typo?

But single file patching is simple. Download and install muCommander.

Great to hear! But ... b****r! I've fallen at the first fence ... err from where?

p.s. feedback on FAQ ... imho Phil your instructions re: looking for the files could be briefer? If we're able to install a patch, use OOo, etc, then we must be familiar with File manager etc. As there are different views in File Manager etc wouldn't it be cleaner to just name the folders and files concerned and leave basic navigation/views etc to users?

[Hagar Delest]

does the "scrubbing" ref means open/save in any (?) earlier file types?

Sorry I'm not sure I understand. Earlier version of ODF has not the problem. But it's usually better to use the latest version of a format. So fixing the bug is worth doing.

AOO = Apache Open Office? [...] I am worried about my future with OO. Is there one?

Yes, AOO is for Apache OpenOffice. The code base is OOo minus intellectual property cleaning to make it compatible with the Apache license. So don't worry, The continuation of OOo is AOO. You can try the dev version is you want (you can install it in parallel with the regular OOo version), you'll see that there is no visible change.

If it's not in any build prior to 3.4 then as mine is 3.3 ... I'm confused. Is that a typo?

PGAGA is talking about the fix, that is not in the pre-3.4 versions. So 3.0 to 3.3 are not secure.

[Talvi]

Thanks Hagar

does the "scrubbing" ref means open/save in any (?) earlier file types?

Sorry I'm not sure I understand.

I understand that ODF files in 1.2 format contain the "problem" whether or not a patch is applied to the program or a later program version eg 3.4 is used. I was asking if the way to deal with 1.2 format files was to open and save each to an earlier file type. (or if a batch process for instance was available to do this? Or..?)

Got it that using earlier file formats are considered better. Personally long ago I developed the habit, first with Office, of saving into earlier formats to ensure readability by people using earlier software versions. This avoids higher order bugs and the problems caused by general overcomplication of functionality and the different interpretations/display by different systems of the more "advanced" features etc etc. (I am a fundamentalist KISS believer - "Keep it simple! Stupid!") and am generally skeptical of the security rational (ab)used by software vendors to "upgrade" their products.

Is there any reason not to move across to AOO now? Is the current "dev version" that has been released the same as OOo? Or..?

Thanks for the clarification on Phil's post. In this area does the phrase "security bulletin" always mean not a bulletin but a fix ie is: "security bulletin", shorthand for: "updated installations of the software with the bug fixed" ..?

Can you answer the question about muCommander - where to get it?

[Hagar Delest]

I understand that ODF files in 1.2 format contain the "problem" whether or not a patch is applied to the program or a later program version eg 3.4 is used. I was asking if the way to deal with 1.2 format files was to open and save each to an earlier file type. (or if a batch process for instance was available to do this? Or..?)

No. My understanding is that ODF 1.2 allows the embedding of personal data inside ODF 1.2 documents (because of a feature specific to 1.2). But the action (embedding data in a document) is possible only with an additional code (you have to be attacked or infected) in an ODF 1.2 document. I guess that the patch prevents the use of the library used to embed the personal data, which may be an abnormal use of this library.

Moreover, you have to send the corrupted file to someone who is aware of the leakage and who knows how to get the data hidden in the file.

[Talvi]

Far out Hagar! Thanks, I will sleep easy now and, in my situation, upgrade when there's a version with the bug fixed ..... any reason NOT to move across to the dev version of AOO now??? It is the future after all...

[RoryOF]

Best wait a few days for the release version; some ancillaries, such as dictionaries, are currently being checked for compatibility.

[Talvi]

Thanks Rory I'll keep an eye out ....

[PGAGA]

April 3, 2012

MuCommander is found at mucommander.com. It is a java gui for file management. I like seeing what I am doing with file management, so use it.

Another option for installation of the patch would be a command line such as:

unzip CVE-2012-0037-win.zip "C:\Program Files\OpenOffice.org 3\program\"

You should be asked if you want to overwrite the file being replaced.

Phil

[Talvi]

D'Oh! Thanks Phil MuCommander sounds interesting. I find File Manager in Win7 a bit irritating.

[vidsag]

thank you for providing efficient office software and found more useful in comparision with MSOffice version in respect of flexibility of file formats.
Regarding OS many laptop/desktop computer manufacturers does not providing drivers for free os available in the market but the promenant OS marketers copying the features of free OS available in the market. ex. MSoffice2007 ribbon on menu bar rather than drop down menu.

[Newbie]

folks,

i have just become aware of this security issue with the v3.3 that you guys are talking about, btw thanks for sharing. i'm a first time user of this suit (which i love very much) but right now i'm at a loss not knowing what the heck to do.

i followed hagar's instructions and went to load/save, general....i've never been to this section before this.....which means i've been saving my documents with the default settings all this time and my default "save" setting is "ODF 1.2 Extended". from what i've gathered here, that means i'm right in the line of fire.

question is what do i do? uninstall and wait for the next version to come out? or is there a way for me to fix this? please advice.

[kingfisher]

Look at the message quoted in the first post. Go to the page linked and download the file/s for your system. Included in the download there is, I understand, a pdf file containing instructions on how to install the patch.

[Newbie]

yes kingfisher,

i did look at the first post, followed the link to the download pg. i actually downloaded the file and downloaded the signature file as well, but this is all just too much for me to handle.

i dont know that much about these things to get tangled up in this. it just sounds a bit too complicated for me.
.....download the patch then download something else to check the signature of the patch and if some key for the signature is missing then you have to go to somewhere else to download the key etc etc. i just don't think i'll be able to handle this successfully.

anybody knows when the new version will be out?

[acknak]

I'm guessing that you may not need to worry about it.

This is not the kind of security problem that opens your system to attack, like a virus or key logger. The worst that can happen here is that a file on your computer could be secretly sent out to someone else. That could be a really big problem, but the attack requires your participation: it's not effective at all unless you open a document that comes from someone you don't know (or trust) and send it back.

Note: that scenario could work by downloading a document from this forum, editing it, and uploading it here again!

If you only work with your own documents, that you create on your computer, you're completely safe, even without the patch.

[PGAGA]

April 16, 2012

i dont know that much about these things to get tangled up in this. it just sounds a bit too complicated for me.

Ok here is how I would do this (more correctly how I do it). Download and install mucommander from mucommander.com.

Once installed, open it as administrator (right click will give you this option). Do this if you installed OOo as administrator (you would have been asked for a password if you installed as administrator).

In the left pane, navigate to C:\Program Files\OpenOffice.org 3\program\. Since you are using Win7 it may be
C:\Program files(x86)\OpenOffice.org3\program.

In the right pane, navigate to where you downloaded CVE-2012-0037-win.zip. Double click on it and it will open the file. Select unordfmi.dll and then use the button to copy the file. You should be asked if you want to overwrite the file in the left pane. Hit yes and exit mucommander and you are updated.

If you want to be cautious you could rename the unordfmi.dll in the left pane before copying to back it up.

Phil

[Newbie]

somehow i know i can always count on you guys for help when it comes to issues pertaining to this great program. i do respect you all and most importantly, appreciate your help very much. glad to be a member of this community.

yes! i got updated.

acknak, thanks very much for those reassuring words. i was just about to do an uninstall but you managed to calm me down. thanks man.

phil, phil, phil.....aka pgaga.....buddy what can i tell you, except to say thank you, thank you, thank you. you made it all seem so easy. all i had to do was to go to mucommander's site and download the app, install it, follow your instructions.....which was very very well laid out.....and within a minuet or two i was updated.....how easier can it get.

thank you all again folks.

[zmotiwala]

We cannot upgrade the open office we ship with, becasue we have use a portable version. Is there an example of this odf scrub zip utility that hagar mentions?

Also does this affect ONLY .odt files?