CVE-2012-0037
OpenOffice.org data leakage vulnerability
- OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
- Earlier versions may be also affected.
- For Windows installs (MD5) (SHA1)
- For MacOS installs (MD5) (SHA1)
- Linux and other platforms should consult their distro or OS vendor for patch instructions.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Description:
Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties.
Mitigation
OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.
This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.
Verifying the Integrity of Downloaded Files
We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files.
The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum.
The PGP signatures can be verified using PGP or GPG. First download the KEYS file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:
% pgpk -a KEYS
or
% pgpv CVE-2012-0037-{win|mac}.zip.asc
% pgp -ka KEYS
or
% pgp CVE-2012-0037-{win|mac}.zip.asc
% gpg --import KEYS
% gpg --verify CVE-2012-0037-{win|mac}.zip.asc
Source and Building
Information on obtaining the source code for this patch, and for porting it or adapting it to OpenOffice.org derivatives can be found here.
Credit:
The Apache OpenOffice project acknowledges and thanks the discoverer of this issue, Timothy D. Morgan of Virtual Security Research, LLC.