Apache OpenOffice (AOO) Bugzilla – Issue 51500
OpenOffice can compromise people's privacy by putting UUIDs that reveal their ethernet addresses into documents
Last modified: 2011-03-05 17:30:12 UTC
Openoffice generates and discloses UUIDs in a way that can reveal the ethernet address used to generate the document. UUIDs (Universally Unique IDentifiers) are commonly used to provide unique names for things. See more at http://en.wikipedia.org/wiki/Universally_Unique_Identifier. Microsoft got a bad reputation years ago for publishing ethernet addresses in Word documents via UUIDs, as documented at http://en.wikipedia.org/wiki/Globally_Unique_Identifier Now OpenOffice is doing the same thing. One example is the "Id" attribute of the Signature element in the META-INF/documentsignatures.xml file that contains document signatures inside Writer ".odt" documents generated by recent OpenOffice 2.0 snapshots. I've verified that on my Ubuntu 5.04 Linux machine running 1.9.87, my ethernet address showed up in a document I signed, and since the code looks like it would do the same thing again, I haven't waited to confirm it on a more recent build. (I assume I don't have to explain that even signed documents shouldn't generally reveal their host addresses). Since there are hundreds of places in the code where the rtl_createUuid function is told to include an ethernet address, I assume they show up in other places also. I don't know if this is a problem for OpenOffice version 1. I suspect the best way to fix this is by just using random UUIDs (version 4) like Microsoft seems to do now in their GUIDs. Search for lines of code that put ethernet addresses in freshly generated UUIDs: http://go-ooo.org/lxr/search?filestring=&advanced=1&string=rtl_createUuid.*+sal_True
duplicate to issue 51501 ?
invalid as double to the same Issue from the same submitter
closed inv