OpenOffice.org: Temporary files disclosure — GLSA 200410-17

OpenOffice.org uses insecure temporary files which could allow a malicious local user to gain knowledge of sensitive information from other users' documents.

Affected Packages

app-office/openoffice on all architectures
Affected versions = 1.1.2
Unaffected versions < 1.1.2, >= 1.1.3
app-office/openoffice-bin on all architectures
Affected versions = 1.1.2
Unaffected versions < 1.1.2, >= 1.1.3
app-office/openoffice-ximian on all architectures
Affected versions = 1.1.60, = 1.1.61
Unaffected versions < 1.1.60, >= 1.3.4

Background

OpenOffice.org is an office productivity suite, including word processing, spreadsheets, presentations, drawings, data charting, formula editing, and file conversion facilities.

Description

On start-up, OpenOffice.org 1.1.2 creates a temporary directory with insecure permissions. When a document is saved, a compressed copy of it can be found in that directory.

Impact

A malicious local user could obtain the temporary files and thus read documents belonging to other users.

Workaround

There is no known workaround at this time.

Resolution

All affected OpenOffice.org users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=app-office/openoffice-1.1.3"
 # emerge ">=app-office/openoffice-1.1.3"

All affected OpenOffice.org binary users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=app-office/openoffice-bin-1.1.3"
 # emerge ">=app-office/openoffice-bin-1.1.3"

All affected OpenOffice.org Ximian users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=app-office/openoffice-ximian-1.3.4"
 # emerge ">=app-office/openoffice-1.3.4"

References

Release Date
October 20, 2004

Latest Revision
October 20, 2004: 01

Severity
low

Exploitable
local

Bugzilla entries