Whatever the next release is, you can expect to see any disclosures and advisories related to that distribution at that time and not before. Since you are following please notice that there is work at a streamlined 4.1.3 maintenance release. You can find the ASF policies and practices with regard to security reports at and pages linked from there.
There is a private and discrete coverage of security matters, the same as for all projects at the ASF and elsewhere. Lately, if you have followed the list for the project, you'll find that Jim is working on the MacOSX build process. There are many ways to contribute to an Apache project, and having made code commits is one of them. 'Most of the code changes for OpenOffice 4.1.2 have already been integrated.
If you look him up on the Apache Phonebook, you'll see he is highly active across a wide variety of ASF areas. The Apache OpenOffice blog promises that the 4.1.2 release is coming soon. “This demonstrates the importance of sanity-checking automated static analysis tools if your tools don’t know the code exists, it can’t find those vulnerabilities,” explains Lim.In fact Jim Jagielski is a committer on the Apache OpenOffice project and a member of the project's Project Management Committee. “This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.Ī little research led him to the code analysis platform that runs tests on open source projects, which has tagged AOO as a Python (opens in new tab) and JavaScript (opens in new tab) project, and not as a C++, leading to the scanner missing the vulnerability. In a technical blog (opens in new tab) sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO. Instead of focussing on a particular software, Lim was advised to direct his attention on file formats.
0 kommentar(er)
