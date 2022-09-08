IT boomers who work with the Linux port of the once market-leading spreadsheet should update quickly, there is a risk of a 32-year-old buffer overflow.

The name “ ” evokes various associations among computer users who have been active since the late 1980’s. The groupware Lotus Notes – meanwhile after the second takeover HCL Notes – may still be familiar to younger people, but for “Lotus 1-2-3” you have to dig a little deeper into the repressed DOS memories. In fact, spreadsheets were more popular than Excel in the 1980s, but Excel quickly outstripped its competitor after its release on the IBM PC.

expert Tavis Ormandy, known in the community as a prominent contributor to Google’s Project Zero, posted a notice of a buffer overflow in Lotus 1-2-3 for Unix/Linux on the Full Disclosure mailing list. However, Dan Bastone discovered and reported the bug; it is triggered as soon as a user opens a specially crafted 1-2-3 worksheet and can lead to the execution of arbitrary code.

Revitalized Abandonware

- Advertisement -

The reader might ask why a Google employee is reporting security gaps in 30-year-old abandonware? Well, because Tavis Ormandy ported said abandonware to Linux as part of a hobby project. In a blog post, Ormandy tells how he got hold of a pirate copy of the Unix version R3 in a BBS and – in typical Taviso fashion – hacked it under Linux. An operating system that hadn’t even been released at the time Lotus 1-2-3 R3 was released. After all, people need a hobby. And the community of 1-2-3 enthusiasts is experiencing an unprecedented renaissance in the Github issues for the project.

It may give some satisfaction to those who have been hit by security bugs by Ormandy (and there are quite a few) that this time the star hacker had to gain experience on the receiving end. But Ormandy did well: Security Advisory and Patch were available within a few days; however, the CVE number and CVSS rating are still missing 😉