Page 1 of 1
OpenOffice and Security
Posted: Sat Aug 10, 2024 2:02 pm
by psilocybe
Hi all,
I don't see anywhere (or maybe I didn't look carefully) where you advise to install LibreOffice instead of OpenOffice for security reasons.
Because I don't see how you can assess the security of a software that itself uses Python version 2, whose security is no longer ensured since January 1, 2020.
I think it would be urgent to put a banner advising the use of LibreOffice instead of OpenOffice for security reasons.
Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
Re: OpenOffice and Security
Posted: Sat Aug 10, 2024 9:21 pm
by MrProgrammer
psilocybe wrote: ↑Sat Aug 10, 2024 2:02 pm
I don't see how you can assess the security of a software that itself uses Python version 2
That concern is not present on MacOS. Apple removed Python 2 in MacOS 12.3 (March 2022). Parts of MacOS which formerly used it were rewritten to avoid Python. Apple does not supply Python 3 as part of MacOS. Someone with developer skills could install it. However, from a practical standpoint, in OpenOffice one cannot use Python scripts on any recent versions of MacOS.
macOS Monterey 12.3 Release Notes
psilocybe wrote: ↑Sat Aug 10, 2024 2:02 pm
Failure to do so could make you responsible for possible security issues due to the obsolescence of OpenOffice.
This is a user-to-user forum. We are
not connected with the Apache OpenOffice development team. The
Survival guide explains how you can contact the project.
Re: OpenOffice and Security
Posted: Sun Aug 11, 2024 12:39 am
by psilocybe
If I scan
the OpenOffice code with a tool like
FluidAttacks, it finds 323 vulnerabilities in the OpenOffice code...
Code: Select all
─────────────────────────────────── Running ────────────────────────────────────
[WARNING] Although skims does not collect any sensitive information, if you do not want to send any data to our servers, set the `tracing_opt_out` key to `True` in your configuration file
[INFO] Official documentation: https://help.fluidattacks.com/portal/en/kb/find-security-vulnerabilities/use-the-cli
[INFO] Namespace: openoffice
[WARNING] Unable to find commit HEAD on analyzed directory
[INFO] Startup work dir is: /working-dir
[INFO] Moving work dir to: /working-dir
[INFO] Running SCA analysis on 1610 paths
[INFO] Downloading advisory database
[INFO] SCA analysis completed!
[INFO] Starting SAST analysis
[INFO] Performing basic SAST analysis on 2239 paths
[INFO] Basic SAST analysis completed!
[INFO] Performing advanced SAST analysis on 4047 paths
[INFO] Advanced SAST analysis completed!
[INFO] Analyzing unverifiable and non-upgradable paths
[INFO] SAST analysis completed!
[INFO] Analysis finished, writing results
[INFO] An output file has been written: /working-dir/Fluid-Attacks-Results.csv
[INFO] Summary: 323 vulnerabilities were found in your targets.
Details of vulnerabilities found:
MrProgrammer wrote: ↑Sat Aug 10, 2024 9:21 pm
This is a user-to-user forum. We are
not connected with the Apache OpenOffice development team.
This does not prevent you from advising users to use LibreOffice instead of OpenOffice for security reasons.
Re: OpenOffice and Python security
Posted: Sun Aug 11, 2024 2:23 am
by MrProgrammer
psilocybe wrote: ↑Sun Aug 11, 2024 12:39 am
Details of vulnerabilities found
This is not a developers' forum, so they won't see that. The
Survival guide explains how you can contact the project.
Re: OpenOffice and Security
Posted: Sun Aug 11, 2024 10:10 am
by psilocybe
MrProgrammer wrote: ↑Sun Aug 11, 2024 2:23 am
This is not a developers' forum, so they won't see that. The
Survival guide explains how you can contact the project.
Contacting the site will not help (look at my
request that is over a year old and still unanswered...
and look who opened it and on what date?).
On the other hand, in the absence of publication of a security report on the OpenOffice code, as one can easily find for
LibreOffice,
one can only admit that the OpenOffice code is NOT SECURE. Wanting to make believe otherwise would be misleading your users.
Now that you are aware, you can no longer say that you did not know.
Re: OpenOffice and Security
Posted: Sun Aug 11, 2024 9:26 pm
by Hagar Delest
psilocybe wrote: ↑Sun Aug 11, 2024 10:10 am
Wanting to make believe otherwise would be misleading your users.
Now that you are aware, you can no longer say that you did not know.
Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
Re: OpenOffice and Security
Posted: Sun Aug 11, 2024 11:00 pm
by psilocybe
Hagar Delest wrote: ↑Sun Aug 11, 2024 9:26 pm
Again, there are not "our" users. We are volunteers, whose forum is located on the Apache servers, that's all.
Regardless of the users and regardless of the server that hosts you, you cannot pretend that two softwares with more than 6,100,000 lines of code are equal in terms of security when only one submits its code to a code security verification tool and the other does nothing for the security of its code.
Being a volunteer does not exempt you from providing sound advice. This is exactly what I am trying to make you understand....
Re: OpenOffice and Security
Posted: Mon Aug 12, 2024 8:11 am
by Hagar Delest
Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
If any serious issue was to be feared, I hope that the AOO team would have said something.
Anyway, no code ever is secured at all. The risk comes with the use of applications.
You have made the warning in the forum, fine with that. But the point is that we are not responsible for anything unlike what you said in your first post.
Re: OpenOffice and Security
Posted: Mon Aug 12, 2024 10:34 am
by DiGro
Re: OpenOffice and Security
Posted: Mon Aug 12, 2024 11:37 am
by psilocybe
Hagar Delest wrote: ↑Mon Aug 12, 2024 8:11 am
Well, 4 years after the EOL of Python 2, it would be strange to suddenly put a banner for that.
The most serious thing is apparently OpenOffice has done nothing for its
CASA certification.
This is not a scan report on the security of the OpenOffice code but only the correction of security flaws. Where is the tool that can detect security flaws?
Facts:
Today, all the software you install on your computers has a
CASA certification, or has set up the infrastructure to pass this certification:
- With each addition, modification of the software code, this certification requires you to publish a report on the security of the code and the libraries used.
- The new code can only be published if the report is free of any security alerts.
The killer question:
But how do they do it at OpenOffice with their CASA certification and the Python 2 kernel which has not been certified since 2020?
The answer:
Well, it's very simple: they don't have a CASA certification (at least not a security report).
Treating LibreOffice and OpenOffice equally in terms of security would be like saying that CASA certification is bullsheet.
I don't really agree.
Re: OpenOffice and Security
Posted: Mon Aug 12, 2024 1:09 pm
by Hagar Delest
psilocybe wrote: ↑Mon Aug 12, 2024 11:37 am
[...]
I don't really agree.
You are absolutely entitled not to.
But this is a forum, no more, no less.
(Last post in this topic.)
Re: OpenOffice and Security
Posted: Fri Aug 16, 2024 5:22 pm
by RogoWarrior69
Wow, didn't know about OpenOffice's security concerns, especially with Python 2. Good to know about CASA certification and code security verification. Maybe it's time to consider LibreOffice?
Re: OpenOffice and Security
Posted: Fri Aug 16, 2024 8:09 pm
by LastUnicorn
@RogoWarrior69, To help in your consideration: There are several other good reasons for making the switch anyway, some of which are mentioned here:
[Tutorial] Considering a Switch from OpenOffice to LibreOffice? Some Useful Information
Re: OpenOffice and Security
Posted: Sat Aug 17, 2024 9:19 am
by sveld
@RogoWarrior69 this is hardly a surprise is it, there have been continues debates on OO vs LO. LO has had between 10-50 full time development (estimation) in the past decade since splitting from OO so an quick estimation is one needs at least 100-500 man-years of work to even get up to par with LO… that shows in security, features and compatibility. I’m not even counting the free-time contributers here as that’s hard to express in man-years of work, but I think you get the point. Then, even LO is -far- from finished as a project, but has build a good foundation for expanding to like Web assembly, Online and Mobile solutions. Anyone comparing OO to LO and saying “it’s almost the same” and are interchangeable is sticking their heads in the sand.