About libreoffice CVE
Hello Emilio,
as the libreoffice entry is the oldest one without update[1] I decided
to take a look at the issues (even though it's assigned to you).
For CVE-2017-12607 I believe that wheezy is not affected as the patch
shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (= 5).
https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1
And in the wheezy code, we already have such a check (line 4112 of
filter/source/msfilter/svdfppt.cxx):
sal_uInt16 nLevelAnz;
rIn >> nLevelAnz;
if ( nLevelAnz > 5 )
{
OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 Ebenen! (SJ)" );
nLevelAnz = 5;
}
For CVE-2017-12608, the problem seems to exist as the code is very close.
Applying/backporting the patch looks trivial.
Furthermore in both cases, the commit contains a test file that could be used
to (at least manually) verify the fix.
I don't really see why this update has been stalled for so long. Please go ahead
with the update or unlock the package so that someone else can take over.
Cheers,
[1] As shown by bin/review-update-needed --lts:
Package: libreoffice
Claimed-By: Emilio Pozuelo
Claimed-Date: 2017-05-31 17:29 (166 days ago)
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: