Package for OOo Security Bulletin 2006-06-29


Fri 30 June 2006 By nuxeo


OpenOffice.org 2.0.3 has been announced
as out !
(french version is expected in the coming hours)

This announcement provides a security
bulletin
dealing with 3 potential vulnerabilities detected by internal
security audits.

if you can not install this new 2.0.3 version for whatever reason, the
issue dealing with java applet can be countered as mentionned on the Java Applets,
CVE-2006-2199 dedicated page

(be carefull that other issues remain !!)

The solution proposed works great by deactivating java applets but is not
so easy to deploy at large scale or for regular users. So i used the OOo
Tools for what they are made for : The UNO Package concept that allow to
create great
extensions
but also
deploy configuration settings

So this addon reproduces what is proposed on the CVE page. It works for OOo
2.x as well as OOo 1.x

To deploy under OOo 2.x


  • Tools > Package Manager > add and select the zip file
    or


  • launch <OOoInstall>/program/unopkg <ZipFilePath>


To deploy under OOo 1.x


  • launch <OOoInstall>/program/pkgchk <ZipFilePath>


Note that running these command lines with the -s switch (for share) let
you deploy the addon for all your users

For testing that the patch has been applied correctly, you can insert an
applet (eg. the
JavaClock.class can be used for testing purpose) and see if it does not run.

You insert a java Applet though


  • Insert > Object > Applet


Once the patch applied, only a drawing with the name of the applet should be
displayed and the applet should not run anymore

This check also apply to already created document containing applets

(Post originally written by Laurent Godard on the old Nuxeo blogs.)


Category: Product & Development