126281 – Remove HWP (Hangul Word Processor) filter

Issue 126281 - Remove HWP (Hangul Word Processor) filter

Summary: Remove HWP (Hangul Word Processor) filter

Status:	CLOSED FIXED

Alias:	None

Product:	Writer
Classification:	Application
Component:	open-import (show other issues)
Version:	4.1.1
Hardware:	All All

Importance:	P3 Blocker (vote)
Target Milestone:	4.1.2
Assignee:	Andrea Pescetti
QA Contact:

URL:	http://www.openoffice.org/security/cv...
Keywords:

Depends on:
Blocks:

Reported:	2015-04-29 07:54 UTC by Andrea Pescetti
Modified:	2016-08-30 21:32 UTC (History)
CC List:	1 user (show)

See Also:
Issue Type:	TASK
Latest Confirmation in:	---
Developer Difficulty:	Medium

Flags:	pescetti: 4.1.2_release_blocker+

Attachments
files which contain the string hangul (case insensitive)) (8.28 KB, text/plain) 2015-05-03 22:35 UTC, Kay	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Andrea Pescetti 2015-04-29 07:54:41 UTC

OpenOffice 4.1.1 contains a filter to import documents created with old (pre-1997) versions of HWP, Hangul Word Processor, *.hwp files.

A security advisory was recently published for that filter/library:
http://www.openoffice.org/security/cves/CVE-2015-1774.html

Mailing list discussions did not show it's worth to investigate a fix, since the filter can be removed with negligible impact on users.

So the filter should be removed, meaning that OpenOffice should no longer ship with the library named "hwp.dll" or "libhwp.dylib" or "libhwp.so" according to the platform.

Comment 1 SVN Robot 2015-05-01 17:20:23 UTC

"pescetti" committed SVN revision 1677190 into trunk:
#i126281# Do not build/ship hwpfilter.

Comment 2 Kay 2015-05-03 22:35:13 UTC

Created attachment 84728 [details]
files which contain the string hangul (case insensitive))

Files from trunk which contain the string "hangul" which may need investigation.

Comment 3 Andrea Pescetti 2015-05-04 06:57:02 UTC

Note that "hangul" is also a way of writing (it's the Korean alphabet). So Kay's list based on searching "hangul" includes many things that we shouldn't touch. To our purposes, it's enough to scan for the strings "hwp" or "hwpfilter" and follow what was done to remove the writerperfect module or the binfilters.

What is in trunk already protects users against the vulnerability since it avoids packaging the library, but still this will need refinements as discussed on the dev list.

Comment 4 SVN Robot 2015-06-03 22:53:12 UTC

"kschenk" committed SVN revision 1683442 into trunk:
#i126281# Remove HWP as an option to Writer open menu.

Comment 5 Andrea Pescetti 2015-06-14 21:09:04 UTC

For easier understanding from the general public: removing the HWP filter was already done on May 1st 2015 and this issue is thus to be considered fixed as of 1st May 2015.

See issue 126369 for the additional (mostly cosmetic, and with no security impact) work.

Comment 6 Kay 2015-07-08 20:36:01 UTC

I'm not exactly certain how to interpret the "release blocker" flag on this.
In my opinion we should remove references and other processes regarding the HWP filter which might continue to concern users.

I will be happy to review the file list in the next few days and make changes.  At a minimum, I will review the helpcontent2 and i18 areas. 

We could use some additional help on some of the other areas.

Comment 7 Andrea Pescetti 2015-07-08 21:27:44 UTC

@Kay: Here "Release Blocker" means that my patch and your patch will be committed to the AOO410 branch for the OpenOffice 4.1.2 release. Nothing else to discuss. Just to be clear: both patches are now committed to trunk but we still need to copy them to AOO410 for release 4.1.2.

Comment 8 Kay 2015-07-13 22:50:24 UTC

(In reply to Andrea Pescetti from comment #7)
> @Kay: Here "Release Blocker" means that my patch and your patch will be
> committed to the AOO410 branch for the OpenOffice 4.1.2 release. Nothing
> else to discuss. Just to be clear: both patches are now committed to trunk
> but we still need to copy them to AOO410 for release 4.1.2.

OK. Will do. And yes, after reviewing the file list, I would say all the remaining references were related to the Hangul character set itself which we still support, and not to the HWP processing.

Comment 9 SVN Robot 2015-07-14 21:05:21 UTC

"pescetti" committed SVN revision 1691080 into branches/AOO410:
#i126281# Do not build/ship hwpfilter.

Comment 10 SVN Robot 2015-07-14 21:12:33 UTC

"pescetti" committed SVN revision 1691082 into branches/AOO410:
#i126281# Commit meta-information to track merge to AOO410 for OpenOffice 4.1.2

Comment 11 Andrea Pescetti 2015-07-14 21:14:30 UTC

@Kay: After review by the OpenOffice security team we can port both commits in this issue (mine and yours) to AOO410. I ported mine as follows:

$ (change dir to a checkout of https://svn.apache.org/repos/asf/openoffice/branches/AOO410 and to the "main" subdirectory within it)

$ svn merge -c 1677190 https://svn.apache.org/repos/asf/openoffice/trunk/main .

[Note: the above ends with a dot, to mean the current directory; the number is the revision number of the commit you want to port]

You can port yours in the same way. SVN will automatically add meta-information to track this merge. If you commit the whole "main" subdirectory, as opposed to the individual files (as I did), you will be able to do everything in a single commit.

Comment 12 SVN Robot 2015-07-14 21:30:40 UTC

"kschenk" committed SVN revision 1691089 into branches/AOO410:
#i126281# Remove HWP as an option to Writer open menu.

Comment 13 Andrea Pescetti 2015-10-18 22:43:39 UTC

Verified fixed on 4.1.2-RC2 as follows:

1) $ find . -name libhwp.so
   returns "./openoffice4/program/libhwp.so" in a 4.1.1 tree, empty in a 4.1.2-RC2 tree

2) File - Open shows *.hwp files in the "File type" list in 4.1.1, it doesn't in 4.1.2-RC2

Comment 14 Kay 2016-08-30 21:32:30 UTC

Closing.