LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

Found on The Register on Wednesday, 06 February 2019
Browse Software

When he published on February 1, in conjunction with the LibreOffice fix notification, OpenOffice still had not been patched. Inführ says he reconfirmed that he could go ahead with disclosure even though OpenOffice 4.16 has yet to be fixed.

His proof-of-concept exploit doesn't work with OpenOffice out-of-the-box because the software doesn't allow parameters to be passed in the same way as the unpatched version of LibreOffice did. However, he says that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage.

Oracle does not have much interest in products it can't use to make money. Otherwise LibreOffice wouldn't have been forked.