<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>CVE-2021-28129</title> </head> <body> <p> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-28129">CVE-2021-28129</a> </p> <p> <a href="https://www.openoffice.org/security/cves/CVE-2021-28129.html">Apache OpenOffice Advisory</a> </p> <p style="text-align:center; font-size:largest"> <strong>CVE-2021-28129 DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupid</strong> </p> <p style="text-align:center; font-size:larger"> <strong>Fixed in Apache OpenOffice 4.1.11</strong> </p> <p> <strong>Description</strong> </p> <p> While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. </p> <p> <strong>Severity: Moderate</strong> </p> <p> There are no known exploits of this vulnerability. <br /> A proof-of-concept demonstration exists. </p> <p> Thanks to the reporter for discovering this issue. </p> <p> <strong>Vendor: The Apache Software Foundation</strong> </p> <p> <strong>Versions Affected</strong> </p> <p> All Apache OpenOffice versions 4.1.10 and older are affected. <br /> OpenOffice.org versions may also be affected. </p> <p> <strong>Mitigation</strong> </p> <p> Install Apache OpenOffice 4.1.11 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice <a href="https://www.openoffice.org/download/"> download page</a>. </p> <p> <strong>Acknowledgments</strong> </p> <p> The Apache OpenOffice Security Team thanks for pointing to this issue. </p> <p> <strong>Further Information</strong> </p> <p> For additional information and assistance, consult the <a href="https://forum.openoffice.org/">Apache OpenOffice Community Forums</a> or make requests to the <a href="mailto:users@openoffice.apache.org">users@openoffice.apache.org</a> public mailing list. </p> <p> The latest information on Apache OpenOffice security bulletins can be found at the <a href="https://www.openoffice.org/security/bulletin.html">Bulletin Archive page</a>. </p> <hr /> <p> <a href="https://security.openoffice.org">Security Home</a>-&gt; <a href="https://www.openoffice.org/security/bulletin.html">Bulletin</a>-&gt; <a href="https://www.openoffice.org/security/cves/CVE-2021-28129.html">CVE-2021-28129</a> </p> </body> </html>