OpenOffice and Security

Talk about anything at all....
Post Reply
psilocybe
Posts: 116
Joined: Thu Jun 15, 2017 5:33 am

OpenOffice and Security

Post by psilocybe »

Hi all,

I don't see anywhere (or maybe I didn't look carefully) where you advise to install LibreOffice instead of OpenOffice for security reasons.

Because I don't see how you can assess the security of a software that itself uses Python version 2, whose security is no longer ensured since January 1, 2020.

I think it would be urgent to put a banner advising the use of LibreOffice instead of OpenOffice for security reasons.

Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
Last edited by psilocybe on Sun Aug 11, 2024 10:17 am, edited 2 times in total.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
User avatar
MrProgrammer
Moderator
Posts: 5036
Joined: Fri Jun 04, 2010 7:57 pm
Location: Wisconsin, USA

Re: OpenOffice and Security

Post by MrProgrammer »

psilocybe wrote: Sat Aug 10, 2024 2:02 pm I don't see how you can assess the security of a software that itself uses Python version 2
That concern is not present on MacOS. Apple removed Python 2 in MacOS 12.3 (March 2022). Parts of MacOS which formerly used it were rewritten to avoid Python. Apple does not supply Python 3 as part of MacOS. Someone with developer skills could install it. However, from a practical standpoint, in OpenOffice one cannot use Python scripts on any recent versions of MacOS.
macOS Monterey 12.3 Release Notes

psilocybe wrote: Sat Aug 10, 2024 2:02 pm Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
This is a user-to-user forum. We are not connected with the Apache OpenOffice development team. The Survival guide explains how you can contact the project.
Mr. Programmer
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel.   The locale for any menus or Calc formulas in my posts is English (USA).
psilocybe
Posts: 116
Joined: Thu Jun 15, 2017 5:33 am

Re: OpenOffice and Security

Post by psilocybe »

If I scan the OpenOffice code with a tool like FluidAttacks, it finds 323 vulnerabilities in the OpenOffice code... :ouch:

Code: Select all

─────────────────────────────────── Running ────────────────────────────────────

[WARNING] Although skims does not collect any sensitive information, if you do not want to send any data to our servers, set the `tracing_opt_out` key to `True` in your configuration file
[INFO] Official documentation: https://help.fluidattacks.com/portal/en/kb/find-security-vulnerabilities/use-the-cli
[INFO] Namespace: openoffice
[WARNING] Unable to find commit HEAD on analyzed directory
[INFO] Startup work dir is: /working-dir
[INFO] Moving work dir to: /working-dir
[INFO] Running SCA analysis on 1610 paths
[INFO] Downloading advisory database
[INFO] SCA analysis completed!
[INFO] Starting SAST analysis
[INFO] Performing basic SAST analysis on 2239 paths
[INFO] Basic SAST analysis completed!
[INFO] Performing advanced SAST analysis on 4047 paths
[INFO] Advanced SAST analysis completed!
[INFO] Analyzing unverifiable and non-upgradable paths
[INFO] SAST analysis completed!
[INFO] Analysis finished, writing results
[INFO] An output file has been written: /working-dir/Fluid-Attacks-Results.csv
[INFO] Summary: 323 vulnerabilities were found in your targets.
Details of vulnerabilities found:
Fluid-Attacks-Results.csv.zip
(43.01 KiB) Downloaded 52 times
MrProgrammer wrote: Sat Aug 10, 2024 9:21 pm This is a user-to-user forum. We are not connected with the Apache OpenOffice development team.
This does not prevent you from advising users to use LibreOffice instead of OpenOffice for security reasons.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
User avatar
MrProgrammer
Moderator
Posts: 5036
Joined: Fri Jun 04, 2010 7:57 pm
Location: Wisconsin, USA

Re: OpenOffice and Python security

Post by MrProgrammer »

psilocybe wrote: Sun Aug 11, 2024 12:39 am Details of vulnerabilities found
This is not a developers' forum, so they won't see that. The Survival guide explains how you can contact the project.
Mr. Programmer
AOO 4.1.7 Build 9800, MacOS 13.6.7, iMac Intel.   The locale for any menus or Calc formulas in my posts is English (USA).
psilocybe
Posts: 116
Joined: Thu Jun 15, 2017 5:33 am

Re: OpenOffice and Security

Post by psilocybe »

MrProgrammer wrote: Sun Aug 11, 2024 2:23 am This is not a developers' forum, so they won't see that. The Survival guide explains how you can contact the project.
Contacting the site will not help (look at my request that is over a year old and still unanswered... and look who opened it and on what date?).
On the other hand, in the absence of publication of a security report on the OpenOffice code, as one can easily find for LibreOffice, one can only admit that the OpenOffice code is NOT SECURE. Wanting to make believe otherwise would be misleading your users.
Now that you are aware, you can no longer say that you did not know.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
User avatar
Hagar Delest
Moderator
Posts: 32762
Joined: Sun Oct 07, 2007 9:07 pm
Location: France

Re: OpenOffice and Security

Post by Hagar Delest »

psilocybe wrote: Sun Aug 11, 2024 10:10 am Wanting to make believe otherwise would be misleading your users.
Now that you are aware, you can no longer say that you did not know.
Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
psilocybe
Posts: 116
Joined: Thu Jun 15, 2017 5:33 am

Re: OpenOffice and Security

Post by psilocybe »

Hagar Delest wrote: Sun Aug 11, 2024 9:26 pm Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
Regardless of the users and regardless of the server that hosts you, you cannot pretend that two softwares with more than 6,100,000 lines of code are equal in terms of security when only one submits its code to a code security verification tool and the other does nothing for the security of its code.

Being a volunteer does not exempt you from providing sound advice. This is exactly what I am trying to make you understand....
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
User avatar
Hagar Delest
Moderator
Posts: 32762
Joined: Sun Oct 07, 2007 9:07 pm
Location: France

Re: OpenOffice and Security

Post by Hagar Delest »

Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
If any serious issue was to be feared, I hope that the AOO team would have said something.
Anyway, no code ever is secured at all. The risk comes with the use of applications.
You have made the warning in the forum, fine with that. But the point is that we are not responsible for anything unlike what you said in your first post.
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
User avatar
DiGro
Posts: 186
Joined: Mon Oct 08, 2007 1:31 am
Location: Hoorn NH, The Netherlands

Re: OpenOffice and Security

Post by DiGro »

____________
DiGro

AOO 4.1.15 (Dutch) on Windows 11. Scanned with Ziggo Safe Online (F-Secure)
psilocybe
Posts: 116
Joined: Thu Jun 15, 2017 5:33 am

Re: OpenOffice and Security

Post by psilocybe »

Hagar Delest wrote: Mon Aug 12, 2024 8:11 am Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
The most serious thing is apparently OpenOffice has done nothing for its CASA certification.
This is not a scan report on the security of the OpenOffice code but only the correction of security flaws. Where is the tool that can detect security flaws?

Facts:
Today, all the software you install on your computers has a CASA certification, or has set up the infrastructure to pass this certification:
  • With each addition, modification of the software code, this certification requires you to publish a report on the security of the code and the libraries used.
  • The new code can only be published if the report is free of any security alerts.
The killer question:
But how do they do it at OpenOffice with their CASA certification and the Python 2 kernel which has not been certified since 2020?

The answer:
Well, it's very simple: they don't have a CASA certification (at least not a security report).

Treating LibreOffice and OpenOffice equally in terms of security would be like saying that CASA certification is bullsheet.
I don't really agree.
Last edited by psilocybe on Mon Aug 12, 2024 1:39 pm, edited 1 time in total.
LibreOffice 5.3.3.2 - Lubuntu 16.10 - LxQt 0.11.0.3
User avatar
Hagar Delest
Moderator
Posts: 32762
Joined: Sun Oct 07, 2007 9:07 pm
Location: France

Re: OpenOffice and Security

Post by Hagar Delest »

psilocybe wrote: Mon Aug 12, 2024 11:37 am [...]
I don't really agree.
You are absolutely entitled not to.
But this is a forum, no more, no less.
(Last post in this topic.)
LibreOffice 24.2 on Xubuntu 24.04 and 7.6.4.1 portable on Windows 10
RogoWarrior69
Posts: 5
Joined: Wed Mar 25, 2015 2:21 pm

Re: OpenOffice and Security

Post by RogoWarrior69 »

Wow, didn't know about OpenOffice's security concerns, especially with Python 2. Good to know about CASA certification and code security verification. Maybe it's time to consider LibreOffice?
Apache Open-office 4.1.1 on Windows 8.1
User avatar
LastUnicorn
Posts: 631
Joined: Sat Mar 29, 2008 2:41 am
Location: Scotland

Re: OpenOffice and Security

Post by LastUnicorn »

@RogoWarrior69, To help in your consideration: There are several other good reasons for making the switch anyway, some of which are mentioned here: [Tutorial] Considering a Switch from OpenOffice to LibreOffice? Some Useful Information
LibreOffice (Still) 24.2.5.2 (x64) installed to Windows 10 Pro x64 and Windows 11 Pro x64
Apache OpenOffice Portable 4.1.15 [Portable Apps]
For Java I use Adoptium Temurin JRE LTS Releases.
sveld
Posts: 29
Joined: Sat Dec 07, 2019 8:33 am
Location: The Netherlands

Re: OpenOffice and Security

Post by sveld »

@RogoWarrior69 this is hardly a surprise is it, there have been continues debates on OO vs LO. LO has had between 10-50 full time development (estimation) in the past decade since splitting from OO so an quick estimation is one needs at least 100-500 man-years of work to even get up to par with LO… that shows in security, features and compatibility. I’m not even counting the free-time contributers here as that’s hard to express in man-years of work, but I think you get the point. Then, even LO is -far- from finished as a project, but has build a good foundation for expanding to like Web assembly, Online and Mobile solutions. Anyone comparing OO to LO and saying “it’s almost the same” and are interchangeable is sticking their heads in the sand.
LibreOffice 24.2.5 on Win11 and Linux (mostly openSUSE Tumbleweed), Collabora Office App on IOS and Android, Collabora Office Online (CODE) with Nextcloud (Office)
Post Reply