Re: About libreoffice CVE
On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote:
> Yes, that was added back then due to a regression with the fix for
> https://security-tracker.debian.org/tracker/CVE-2017-3157
When you add an entry back for some reason, please document that
reason... this entry in dla-needed.txt is useless if contributors don't
know why it sits there.
I was just assuming that it was affected by vulnerabilities and looked up
the open CVE.
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157
>
> At this point, I'm not sure what the best course of action is:
> - revert the patch, leaving LO vulnerable to the original problem
> - leave things as is, with the annoying effect of the regression, but a safe LO
> - spend more time to try to fix the regression
>
> The first option is probably unacceptable. I wonder which one of the other two
> is better at this point, given that wheezy will be EOL in a few months and that
> most LTS users at this point are likely for servers.
Can you point us to the regression report that you got or saw ?
When I look at the description of the problem, I'm tempted to revert the
patch because the original problem does not look too severe. It can be
used to get private data but the information leak is limited to whatever
can appear in a preview and it requires precise knowledge of the
location of the user's document that you want to retrieve. And then
getting someone to open, modify, save a document and send it back to you
is non-trivial.
Still this looks bad so it also depends on how annoying the regression is.
Does it affect all embedded objects ?
> PS: My apologies for not dealing with this earlier. I looked at it a while ago
> but couldn't fix it, and then wasn't motivated to look at it further.
When I read "wasn't motivated to look at it further" I think that you
should have really put the package back into the queue with the
appropriate explanations.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: