Re: About libreoffice CVE
On 14/11/17 17:02, Moritz Mühlenhoff wrote:
> On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote:
>> Package: libreoffice
>> Claimed-By: Emilio Pozuelo
>> Claimed-Date: 2017-05-31 17:29 (166 days ago)
>
> There's some data error, CVE-2017-12607 and CVE-2017-12608 were only
> disclosed on Oct 27.
Yes, that was added back then due to a regression with the fix for
https://security-tracker.debian.org/tracker/CVE-2017-3157
The regression causes some objects (e.g. charts) to not be shown, which may be
annoying for users but should be safe. Unfortunately, upstream didn't fix this
in 3.5 and the code there was quite different, so I had to manually backport the
patch. IIRC Rene reviewed at it and it seemed fine and my testing didn't show
any problems, but upstream wasn't helpful so I went with it. Looks like Red Hat
had the same or a similar regression, fwiw:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157
At this point, I'm not sure what the best course of action is:
- revert the patch, leaving LO vulnerable to the original problem
- leave things as is, with the annoying effect of the regression, but a safe LO
- spend more time to try to fix the regression
The first option is probably unacceptable. I wonder which one of the other two
is better at this point, given that wheezy will be EOL in a few months and that
most LTS users at this point are likely for servers.
Thoughts?
Emilio
PS: My apologies for not dealing with this earlier. I looked at it a while ago
but couldn't fix it, and then wasn't motivated to look at it further.
Reply to: