Announcement

Collapse
No announcement yet.

Apache OpenOffice Vulnerable To One-Click Code Execution

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by andyprough View Post

    I doubt the apache devs have much to do with it. From my recollection what happened was by 2011, all the active OOo developers had moved over to LO in order to save the code from Oracle, and the plan was to retire OOo as a project and fold it into the LO foundation. Oracle didn't really care, but RedHat flipped out because they were still selling millions of dollars of subscriptions with OOo as a headline feature. RedHat needed somewhere to dump the code and picked the Apache project (quite possibly along with a financial donation to the project to make the hosting of the project more appetizing, but who knows).

    I may be missing a few steps in the timeline but I think that's the basics.
    You got the basics entirely wrong. Red Hat had nothing whatsoever to do with Apache Openoffice.org. Red Hat was an early supporter of LibreOffice. The actual history of Apache Openoffice.org is summarized in https://en.wikipedia.org/wiki/Apache_OpenOffice#History

    Comment


    • #32
      Originally posted by andyprough View Post

      I doubt the apache devs have much to do with it. From my recollection what happened was by 2011, all the active OOo developers had moved over to LO in order to save the code from Oracle, and the plan was to retire OOo as a project and fold it into the LO foundation. Oracle didn't really care, but RedHat flipped out because they were still selling millions of dollars of subscriptions with OOo as a headline feature. RedHat needed somewhere to dump the code and picked the Apache project (quite possibly along with a financial donation to the project to make the hosting of the project more appetizing, but who knows).

      I may be missing a few steps in the timeline but I think that's the basics. Also I think IBM was involved behind the scenes, because they were selling some horrible cruft at the time called Lotus Symphony office suite that was based on OOo. I can't recall why RedHat and IBM were so intent on keeping the OOo code separate from the LO foundation and out from under the GPL, but I don't think it would be hard to guess at the reasons. Competition, money, contractual obligations.

      Anyway, it was all done with great fanfair and talk about how a great community was going to rise from the ashes and build OOo to new heights of brilliance, and of course that never happened nor was it ever apparently intended to happen. A small group of devs worked with the code over the years, progress was incredibly slow compared to LO, what progress that was made was mostly backported stuff from LO, IBM and RedHat quickly and quietly dumped their OOo related projects, and here we are.
      Thanks for the explanation!

      However, I disagree about Lotus Symphony: I loved that office suite! It had a very nice interface with all office apps into one window, so you could open up e.g. a word document and excel sheet in tabs within the same window. They also introduced a powerful sidebar through which you could do so much stuff. And that powerful sidebar kind of caught on as Calligra later copied that, at least in Words (haven't used any of the other Calligra apps).

      Comment


      • #33
        When did Libre Office fix this bug and why didn't anyone inform Open Office?

        Comment


        • #34
          Originally posted by RahulSundaram View Post

          You got the basics entirely wrong. Red Hat had nothing whatsoever to do with Apache Openoffice.org. Red Hat was an early supporter of LibreOffice. The actual history of Apache Openoffice.org is summarized in https://en.wikipedia.org/wiki/Apache_OpenOffice#History
          Looks like you are correct. I recall dealing directly with Rob Weir in a few chats about it, for some reason I recall him being with RedHat at the time, but it looks like he was with IBM. I'll edit my post to take out RedHat.

          Comment


          • #35
            Originally posted by andyprough View Post

            Looks like you are correct. I recall dealing directly with Rob Weir in a few chats about it, for some reason I recall him being with RedHat at the time, but it looks like he was with IBM. I'll edit my post to take out RedHat.
            Appreciate the correction. Oracle had contracts with IBM since IBM was using then StarOffice codebase in Symphony and wanted a permissively licensed codebase but atleast after IBM pulled funding for Apache Openoffice.org, Apache should followed their process to archive a dead project since they really don't have an active set of developers on that project anymore.

            https://attic.apache.org/

            Then they should have setup a redirect and donated the trademark to LibreOffice. Instead they are doing the very minimal possible effort to churn out some very minor bugfixes and security fixes and holding on the project long after it has reached an unhealthy state. This is dragging down the Apache foundation's otherwise solid reputation. Apache just doesn't any real understanding of dealing with desktop software.

            Comment


            • #36
              Dear Apache,

              Do NOT transfer the OpenOffice trademark to TDF and LO under any circumstances.

              Those vultures only want the name to boost their own recognition instead of truly trying to establish themselves as a separate and distinct identity like OnlyOffice, WPS Office and SoftMaker Office.

              Comment


              • #37
                Originally posted by Sonadow View Post
                Dear Apache,

                Do NOT transfer the OpenOffice trademark to TDF and LO under any circumstances.

                Those vultures only want the name to boost their own recognition instead of truly trying to establish themselves as a separate and distinct identity like OnlyOffice, WPS Office and SoftMaker Office.
                Let ignore the fact the majority of original OpenOffice team founded The Document Foundation and LibreOffice, a renamed Go OpenOffice containing patches and fixes rejected by SUN without the Clause Licensing Agreement where the company can change the licenses without the original contributors consent? Let avoid mentioning Oracle sacking the entire OpenOffice commintted who requested them to fulfill the promise by SUN.

                Apache using OpenOffice trademark on a dead and bit-rotten software without redirecting the domain to the rightful heir LibreOffice acted shamefully.

                Comment


                • #38
                  Originally posted by Alexmitter View Post

                  Not even is a systemd deamon, the binary was just named "systemd-deamon" to be less likely to be detected by layer 8 error containing system admins. Non of that code was ever in systemd, so no, your malware with the funny name is not part of this ubiquitous software.

                  "The association with systemd, a widely used system and session manager for Linux, may have been chosen by the malware authors to make the malicious code less likely to be noticed by administrators reviewing logs and process lists.""

                  Edit: it seems the anti-systemd movement as a whole drifts down into conspiracy land. I just yesterday learned that there are people who claim journald's binary log format is malware and that there is a NTP server included in the default setup is "calling home". Its not even funny anymore, its just sad.
                  The anti-systemd folks have been living in conspiracy land from day 0, but if this is the sort of "argument" they are now pushing, they must be getting really desperate.
                  Last edited by jacob; 05 May 2021, 01:27 AM.

                  Comment


                  • #39
                    Originally posted by andyprough View Post
                    You might. I don't.
                    You better double check, given the level of understanding of the issue you've shown...

                    Comment


                    • #40
                      Originally posted by jacob View Post

                      The anti-systemd folks have been living in conspiracy land from day 0, but if this is the sort of "argument" they are now pushing, they must be getting really desperate.
                      Yes it seems so, I remember the days when people had proper pro and counter arguments for systemd.

                      Now its somewhere between "lets pretend this completely unaffiliated malware that named itself "systemd-service to be not so easily spotted has something to do with the systemd project" or the "they hide my private information in the binary log to later send it home via the systemd NTP sync".

                      Comment

                      Working...
                      X