back to article Apache OpenOffice can be hijacked by malicious documents, fix still in beta

Apache OpenOffice (AOO) is currently vulnerable to a remote code execution vulnerability and while the app's source code has been patched, the fix has only been made available as beta software and awaits an official release. That means that most people running the open source office suite, which has been downloaded hundreds of …

  1. Forget It
    Meh

    and Libre Office?

    is it also affected?

    1. DrSunshine0104

      Re: and Libre Office?

      I am not an expert in C++ or familiar with LibreOffice code base but looks like a no to me. The code is about the same between OO and LO, but looks like the maintainers at LO patched out this issue at the beginning of 2020.

      https://github.com/LibreOffice/core/commit/aef7feb3e695ecf6d411f0777196dcc4281e201a

      https://github.com/LibreOffice/core/blob/47a8a65022e3fd7624c95d0341b4809aad11fddb/connectivity/source/drivers/dbase/DTable.cxx#L850

      1. Anonymous Coward
        Anonymous Coward

        Re: and Libre Office?

        A year ago? Is that related to Lim finding it? Did Libre notify OO? Out of sheer brotherly love?

    2. diodesign (Written by Reg staff) Silver badge

      Re: and Libre Office?

      LibreOffice isn't affected.

      C.

  2. beekir

    Remote Execution?

    The opening paragraph says this allows for remote code execution, but it appears that the problem is limited to the local machine.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Remote Execution?

      It's RCE as in: someone sends you a bad document. You open it wherever you are. That person has achieved remote code execution on your computer.

      C.

  3. Anonymous Coward
    Anonymous Coward

    LibreOffice

    The fact that anyone still uses AOO suggests that LibreOffice needs to up its marketing game.

    1. Anonymous Coward
      Unhappy

      Re: LibreOffice

      Their ongoing problem is their name. OpenOffice has traction among the great unwashed. Even among those of us who wash occasionally, it was probably the first FOSS office suite we installed.

      Inertia is a terrible thing.

      1. jgarbo
        Coat

        Re: LibreOffice

        Maybe call it "Patriot Office" for Texas. Sure winner...

        1. richdin

          Re: LibreOffice

          MAGAOffice (as opposed to MEGAOffice?)

          1. Anonymous Coward
            Anonymous Coward

            Re: LibreOffice

            MOOGA - Make Open Office Great Again :-)

            1. WolfFan

              Re: LibreOffice

              If you’re aiming for the Texas market, the proper cattle-like name would be Longhorn. Although that name might have negative connotations for some older IT staff.

              Git along, little doggies!

      2. Peter Gathercole Silver badge

        Re: LibreOffice

        Although it wasn't truly FOSS, but available under a permissive license for personal use, I first used Star Office, and that was even before Sun bought it and forked the completely free version.

    2. Charlie Clark Silver badge

      Re: LibreOffice

      While there has been lots of progress with LibreOffice, I find AOO has by far the better UI and, on MacOS at least, is more stable.

      Hopefully, at some point there'll be a grand merge.

      1. Anonymous Coward
        Anonymous Coward

        Re: LibreOffice

        You clearly haven't used LO on Mac recently. It's rock solid.

        1. Charlie Clark Silver badge

          Re: LibreOffice

          It's still fugly, though isn't it?

          1. Al fazed
            Alert

            Re: LibreOffice

            Fuggly and doesn't work properly here in the UK.

            I hate Libre Orifice wonks for forking development away from Apache Open Office.

            Now they are all shit and need fixing..........

            ALF

        2. Al fazed
          Stop

          Re: LibreOffice

          All I can say is that you must have really limited needs if functionality is rock solid.

          ALF

    3. Al fazed
      Trollface

      Re: LibreOffice

      The reason that I still use AOO is because Libre Office still doesn't work with my scanner from Canon !

      With Microsoft and Libre Orifice refusing the play nicely with printers .......... there isn't a lot of choice left is there ?

      Libre Orifice has other issues which have never been fixed and which I am fed up moaning about.

      They all need to get a fucking life.........

      ALF

  4. Kevin McMurtrie Silver badge
    Coat

    Kids these days

    When I was a kid, the size of structures changed all the time. Maybe you're writing library version 3.0 but you know somebody's going to compile against 1.0, 2.0, 4.0, etc. where the size of things has changed. Fields get added. Integers change size. You had to pay attention to size fields or your code crashed.

    Of course there was no Internet back then to provide instant updates. You typed in the hex code patches from a magazine because the planet was colder, bits were much heavier, and there were a million holders for disks on a desk but zero for carrying them through the snow of the constant California Bay Area blizzards. Nobody would even write a 161 MB word processor because, obviously, nobody was strong enough to carry that many bits in a backpack.

  5. Mike 137 Silver badge

    'tennnn-shun!

    " the .dbf file format can use one of two values in its header – fieldLength or fieldType – to determine the buffer size of a database record"

    Sounds like while coding someone failed to notice that a suitable variable had already been made available and duplicated it. There was a conceptually similar c*ckup by someone at MS a few years back, where someone created a function that required as a parameter a pointer to another function. Someone called the first function, passing a pointer to the pointer to the second function.

    Typically this comes down to rushing jobs without application of sufficient attention. I encounter it all the time when developers are working under pressure.

  6. Ian 55

    Making me feel old

    dBase II's DBF format can enable this? Coo.

    You'll be telling me I can send someone a WordStar 1.0 document and take over their supercomputer next.

    1. Brewster's Angle Grinder Silver badge

      Re: Making me feel old

      I ran into them recently with GIS data.

      .doc files still do brisk rounds and they're twenty-ish years out of date.

      Both are stable, because they're not being actively developed. And, in theory, the bugs have all been worked out the libraries handling them.

      1. W.S.Gosset Silver badge

        Re: Making me feel old

        Also, they're a very simple and sparse text markup language, in terms of file format, rather than a complex bundle of linked control structures or a noisy verbose angle-bracket-fest. Very simple to create and to parse, programmatically.

    2. Charlie Clark Silver badge

      Re: Making me feel old

      This kind of thing is still cropping up in image files…

  7. StrangerHereMyself Silver badge

    Defunct

    Why doesn't the Apache Foundation simply merge OpenOffice with LibreOffice? Is there some sort of contractual obligation between Apache and Oracle over the use of the trademark name which prohibits them from merging with LibreOffice?

    OpenOffice is dying a slow death, but still holds the more palatable name.

    1. petko

      Re: Defunct

      > Why doesn't the Apache Foundation simply merge OpenOffice with LibreOffice?

      LibreOffice is under control of the document foundation. So how should one merge single handed into the others realm? Both would need to agree on conditions pf a merge. Currently despite various tries there is no agreement. I think to both projects a merge is not the most important thing.

      > Is there some sort of contractual obligation between Apache and Oracle over the use of the trademark name which prohibits them from merging with LibreOffice?

      No. Oracle is out of the game for over 8 years. It is ridiculous that anyone believes that Oracle has any interest in any Office Product today. They need to earn money, and if you look at LibreOffice it is a really hard business. The competition is hard, really hard.

      1. StrangerHereMyself Silver badge

        Re: Defunct

        I believe you're wrong. IIRC has added contractual side-letters that the Apache Foundation doesn't merge with LibreOffice (or any other fork of OpenOffice).

        I also believe they still hold the actual OpenOffice trademarks, but have leased them to the Apache Foundation at no cost.

  8. Meeker Morgan

    So if I use OO for .xls .ods .doc .odt .rtf etc etc but never ever .dbf ...

    Then I'm OK at least for now?

    Full disclosire: Had OO since forever, have been seriously considering switching to Libre for a while.

    1. W.S.Gosset Silver badge

      Re: So if I use OO for .xls .ods .doc .odt .rtf etc etc but never ever .dbf ...

      I'd say it depends how OO determines filetype once the OS has invoked it with a file, and hence determines which code to parse the file with. If it's "dumb", it'll just look at the OS/FS filename extension ; if it's "smart", it'll ignore the filename and read the file contents to determine its type, then run the appropriate code.

      In the former case, you're correct.

      In the latter case, a dodgy.dbf could be renamed dodgy.xls and ... gotcha.

      1. Meeker Morgan

        Uh oh. Just did a test. Looks like it's "smart".

        Renamed a copy of an .xls as .doc.

        Clicked on it and it does the "right" thing.

        1. W.S.Gosset Silver badge

          Re: Uh oh. Just did a test. Looks like it's "smart".

          It bitches about it not being a .doc file? Which is the right thing to do re safety.

          Or does it open it as a spreadsheet? Which is the right thing to do re user-facilitation.

      2. Peter Gathercole Silver badge

        Re: So if I use OO for .xls .ods .doc .odt .rtf etc etc but never ever .dbf ...

        The whole concept of using the extension as anything more than a hint about how a file should be processed was broken from the beginning.

        I guess it dates back to 8 or 16 bit computers, when doing sanity checking of the format of a file cost significant amounts of code when memory space issues were really a thing.

        I get so annoyed when I move a file to a Windows system, and I have to actually rename a file, or jump through hoops just to get it opened in the application I want it opened in (particularly things like xml files where I want to open them using notepad or another plain text processor).

  9. keithpeter Silver badge
    Windows

    Beta builds windows only?

    Is this issue limited to Windows executables or does it affect Linux builds?

    Asking for a friend.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like