- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200410-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: OpenOffice.org: Temporary files disclosure Date: October 20, 2004 Bugs: #63556 ID: 200410-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== OpenOffice.org uses insecure temporary files which could allow a malicious local user to gain knowledge of sensitive information from other users' documents. Background ========== OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-office/openoffice == 1.1.2 < 1.1.2 >= 1.1.3 2 app-office/openoffice-bin == 1.1.2 < 1.1.2 >= 1.1.3 3 app-office/openoffice-ximian == 1.1.60 < 1.1.60 == 1.1.61 >= 1.3.4 ------------------------------------------------------------------- 3 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== On start-up, OpenOffice.org 1.1.2 creates a temporary directory with insecure permissions. When a document is saved, a compressed copy of it can be found in that directory. Impact ====== A malicious local user could obtain the temporary files and thus read documents belonging to other users. Workaround ========== There is no known workaround at this time. Resolution ========== All affected OpenOffice.org users should upgrade to the latest version: # emerge sync # emerge -pv ">=app-office/openoffice-1.1.3" # emerge ">=app-office/openoffice-1.1.3" All affected OpenOffice.org binary users should upgrade to the latest version: # emerge sync # emerge -pv ">=app-office/openoffice-bin-1.1.3" # emerge ">=app-office/openoffice-bin-1.1.3" All affected OpenOffice.org Ximian users should upgrade to the latest version: # emerge sync # emerge -pv ">=app-office/openoffice-ximian-1.3.4" # emerge ">=app-office/openoffice-1.3.4" References ========== [ 1 ] CAN-2004-0752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752 [ 2 ] OpenOffice.org Issue 33357 http://www.openoffice.org/issues/show_bug.cgi?id=33357 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200410-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0