Apache OpenOffice (AOO) Bugzilla – Issue 75734
Get rid of nas completely (security issues fixed in nas 1.8b)
Last modified: 2007-09-23 12:35:15 UTC
http://freshmeat.net/projects/nas/?branch_id=13568?release_id=250259 I don't know yet whether those fixes also apply to the internal nas 1.6 we ship in the tree.. Only info AFAIS is from the homepage --- snip --- 3/25/2007 NAS 1.8b (devel) is now available. See HISTORY for details. This version includes some device open fixes, as well as fixes for serveral denial of service vulnerabilites. --- snip ---
according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416038 our at least 1.7 - shipped in Debian stable -- is also affected (maybe then the even older 1.6, too?) The changelog for the sid update says some details: nas (1.8-4) unstable; urgency=high . * High-urgency upload to fix multiple security holes (CVE-2007-1543, CVE-2007-1544, CVE-2007-1545, CVE-2007-1546 and CVE-2007-1547): + accept_att_local buffer overflow through USL connection + server termination through unexistent ID in AddResource + bcopy crash caused by integer overflow in ProcAuWriteElement + invalid memory pointer caused by big num_actions in ProcAuSetElements + another invalid memory pointer caused by big num_actions in ProcAuSetElements + invalid memory pointer in compileInputs + exploits bug 3 in read mode (requires something playing on the server) + NULL pointer caused by too much connections + Closes: #416038
we should remove nas completely, I think none is using it.
probably. but in the meanwhile we should fix it, shouldn't we? Or should we release 2.2.0 with this included? :) Anyway, the interdiff between Debians 1.8-3 and 1.8-4 applies to our 1.6. Attached is the patch.
probably. but in the meanwhile we should fix it, shouldn't we? Or should we release 2.2.0 with this included? :) Or remove nas in a rc? :) Anyway, the interdiff between Debians 1.8-3 and 1.8-4 applies to our 1.6. Attached is the patch.
(soory for the double posting, hit submit too early)
Created attachment 43947 [details] patch
as cloph rightly pointed oput (doh, why didn't I notice) the server-only is affected...
Yes, get rid of nas completely. Nas works only where OOo uses its own sound-playing stuff. And the only place I know that does play sound by itself it the preview button in the file-selection dialog for sound-effects. Yes, a "play" button in a file-dialog (and only in OOo's own dialog, the gtk-dialog doesn't have that button). That's all. All other places I know ignore nas completely and rely on the JMF. See http://www.mail-archive.com/dev@gsl.openoffice.org/msg00421.html and follow-ups for details.
@pl, do you agree on removing nas ?
mh: yes I do and I think cmc already has a CWS for that (or planned to), yes ?
yup, just waiting until I come back from holidays to push the workspace through *** This issue has been marked as a duplicate of 81172 ***
close as dup