OpenOffice and Security
OpenOffice and Security
Hi all,
I don't see anywhere (or maybe I didn't look carefully) where you advise to install LibreOffice instead of OpenOffice for security reasons.
Because I don't see how you can assess the security of a software that itself uses Python version 2, whose security is no longer ensured since January 1, 2020.
I think it would be urgent to put a banner advising the use of LibreOffice instead of OpenOffice for security reasons.
Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
I don't see anywhere (or maybe I didn't look carefully) where you advise to install LibreOffice instead of OpenOffice for security reasons.
Because I don't see how you can assess the security of a software that itself uses Python version 2, whose security is no longer ensured since January 1, 2020.
I think it would be urgent to put a banner advising the use of LibreOffice instead of OpenOffice for security reasons.
Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
Last edited by psilocybe on Sun Aug 11, 2024 10:17 am, edited 2 times in total.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
- MrProgrammer
- Moderator
- Posts: 5036
- Joined: Fri Jun 04, 2010 7:57 pm
- Location: Wisconsin, USA
Re: OpenOffice and Security
That concern is not present on MacOS. Apple removed Python 2 in MacOS 12.3 (March 2022). Parts of MacOS which formerly used it were rewritten to avoid Python. Apple does not supply Python 3 as part of MacOS. Someone with developer skills could install it. However, from a practical standpoint, in OpenOffice one cannot use Python scripts on any recent versions of MacOS.
macOS Monterey 12.3 Release Notes
This is a user-to-user forum. We are not connected with the Apache OpenOffice development team. The Survival guide explains how you can contact the project.
Mr. Programmer
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel. The locale for any menus or Calc formulas in my posts is English (USA).
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel. The locale for any menus or Calc formulas in my posts is English (USA).
Re: OpenOffice and Security
If I scan the OpenOffice code with a tool like FluidAttacks, it finds 323 vulnerabilities in the OpenOffice code...
Details of vulnerabilities found:
Code: Select all
─────────────────────────────────── Running ────────────────────────────────────
[WARNING] Although skims does not collect any sensitive information, if you do not want to send any data to our servers, set the `tracing_opt_out` key to `True` in your configuration file
[INFO] Official documentation: https://help.fluidattacks.com/portal/en/kb/find-security-vulnerabilities/use-the-cli
[INFO] Namespace: openoffice
[WARNING] Unable to find commit HEAD on analyzed directory
[INFO] Startup work dir is: /working-dir
[INFO] Moving work dir to: /working-dir
[INFO] Running SCA analysis on 1610 paths
[INFO] Downloading advisory database
[INFO] SCA analysis completed!
[INFO] Starting SAST analysis
[INFO] Performing basic SAST analysis on 2239 paths
[INFO] Basic SAST analysis completed!
[INFO] Performing advanced SAST analysis on 4047 paths
[INFO] Advanced SAST analysis completed!
[INFO] Analyzing unverifiable and non-upgradable paths
[INFO] SAST analysis completed!
[INFO] Analysis finished, writing results
[INFO] An output file has been written: /working-dir/Fluid-Attacks-Results.csv
[INFO] Summary: 323 vulnerabilities were found in your targets.
This does not prevent you from advising users to use LibreOffice instead of OpenOffice for security reasons.MrProgrammer wrote: ↑Sat Aug 10, 2024 9:21 pm This is a user-to-user forum. We are not connected with the Apache OpenOffice development team.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
- MrProgrammer
- Moderator
- Posts: 5036
- Joined: Fri Jun 04, 2010 7:57 pm
- Location: Wisconsin, USA
Re: OpenOffice and Python security
This is not a developers' forum, so they won't see that. The Survival guide explains how you can contact the project.
Mr. Programmer
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel. The locale for any menus or Calc formulas in my posts is English (USA).
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel. The locale for any menus or Calc formulas in my posts is English (USA).
Re: OpenOffice and Security
Contacting the site will not help (look at my request that is over a year old and still unanswered... and look who opened it and on what date?).MrProgrammer wrote: ↑Sun Aug 11, 2024 2:23 am This is not a developers' forum, so they won't see that. The Survival guide explains how you can contact the project.
On the other hand, in the absence of publication of a security report on the OpenOffice code, as one can easily find for LibreOffice, one can only admit that the OpenOffice code is NOT SECURE. Wanting to make believe otherwise would be misleading your users.
Now that you are aware, you can no longer say that you did not know.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
- Hagar Delest
- Moderator
- Posts: 32762
- Joined: Sun Oct 07, 2007 9:07 pm
- Location: France
Re: OpenOffice and Security
Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
Re: OpenOffice and Security
Regardless of the users and regardless of the server that hosts you, you cannot pretend that two softwares with more than 6,100,000 lines of code are equal in terms of security when only one submits its code to a code security verification tool and the other does nothing for the security of its code.Hagar Delest wrote: ↑Sun Aug 11, 2024 9:26 pm Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
Being a volunteer does not exempt you from providing sound advice. This is exactly what I am trying to make you understand....
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
- Hagar Delest
- Moderator
- Posts: 32762
- Joined: Sun Oct 07, 2007 9:07 pm
- Location: France
Re: OpenOffice and Security
Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
If any serious issue was to be feared, I hope that the AOO team would have said something.
Anyway, no code ever is secured at all. The risk comes with the use of applications.
You have made the warning in the forum, fine with that. But the point is that we are not responsible for anything unlike what you said in your first post.
If any serious issue was to be feared, I hope that the AOO team would have said something.
Anyway, no code ever is secured at all. The risk comes with the use of applications.
You have made the warning in the forum, fine with that. But the point is that we are not responsible for anything unlike what you said in your first post.
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
Re: OpenOffice and Security
____________
DiGro
AOO 4.1.15 (Dutch) on Windows 11. Scanned with Ziggo Safe Online (F-Secure)
DiGro
AOO 4.1.15 (Dutch) on Windows 11. Scanned with Ziggo Safe Online (F-Secure)
Re: OpenOffice and Security
The most serious thing is apparently OpenOffice has done nothing for its CASA certification.Hagar Delest wrote: ↑Mon Aug 12, 2024 8:11 am Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
This is not a scan report on the security of the OpenOffice code but only the correction of security flaws. Where is the tool that can detect security flaws?
Facts:
Today, all the software you install on your computers has a CASA certification, or has set up the infrastructure to pass this certification:
- With each addition, modification of the software code, this certification requires you to publish a report on the security of the code and the libraries used.
- The new code can only be published if the report is free of any security alerts.
But how do they do it at OpenOffice with their CASA certification and the Python 2 kernel which has not been certified since 2020?
The answer:
Well, it's very simple: they don't have a CASA certification (at least not a security report).
Treating LibreOffice and OpenOffice equally in terms of security would be like saying that CASA certification is bullsheet.
I don't really agree.
Last edited by psilocybe on Mon Aug 12, 2024 1:39 pm, edited 1 time in total.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
- Hagar Delest
- Moderator
- Posts: 32762
- Joined: Sun Oct 07, 2007 9:07 pm
- Location: France
Re: OpenOffice and Security
You are absolutely entitled not to.
But this is a forum, no more, no less.
(Last post in this topic.)
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
-
- Posts: 5
- Joined: Wed Mar 25, 2015 2:21 pm
Re: OpenOffice and Security
Wow, didn't know about OpenOffice's security concerns, especially with Python 2. Good to know about CASA certification and code security verification. Maybe it's time to consider LibreOffice?
Apache Open-office 4.1.1 on Windows 8.1
- LastUnicorn
- Posts: 631
- Joined: Sat Mar 29, 2008 2:41 am
- Location: Scotland
Re: OpenOffice and Security
@RogoWarrior69, To help in your consideration: There are several other good reasons for making the switch anyway, some of which are mentioned here: [Tutorial] Considering a Switch from OpenOffice to LibreOffice? Some Useful Information
LibreOffice (Still) 24.2.5.2 (x64) installed to Windows 10 Pro x64 and Windows 11 Pro x64
Apache OpenOffice Portable 4.1.15 [Portable Apps]
For Java I use Adoptium Temurin JRE LTS Releases.
Apache OpenOffice Portable 4.1.15 [Portable Apps]
For Java I use Adoptium Temurin JRE LTS Releases.
Re: OpenOffice and Security
@RogoWarrior69 this is hardly a surprise is it, there have been continues debates on OO vs LO. LO has had between 10-50 full time development (estimation) in the past decade since splitting from OO so an quick estimation is one needs at least 100-500 man-years of work to even get up to par with LO… that shows in security, features and compatibility. I’m not even counting the free-time contributers here as that’s hard to express in man-years of work, but I think you get the point. Then, even LO is -far- from finished as a project, but has build a good foundation for expanding to like Web assembly, Online and Mobile solutions. Anyone comparing OO to LO and saying “it’s almost the same” and are interchangeable is sticking their heads in the sand.
LibreOffice 24.2.5 on Win11 and Linux (mostly openSUSE Tumbleweed), Collabora Office App on IOS and Android, Collabora Office Online (CODE) with Nextcloud (Office)