Re: About libreoffice CVE

To: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org
Subject: Re: About libreoffice CVE
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 16 Nov 2017 11:12:09 +0100
Message-id: <[🔎] 461c9ec8-0c25-a415-1877-a59db6823a26@debian.org>
In-reply-to: <[🔎] 20171116083903.7u555exrgmglo45x@home.ouaza.com>
References: <[🔎] 20171114154848.fnyxvmiy3o4j26kf@home.ouaza.com> <[🔎] 20171114160243.vh3d4v2g6nvfg4oh@pisco.westfalen.local> <[🔎] 8b096ea4-b40d-0ccd-1cf7-cf45f32e0382@debian.org> <[🔎] 20171116083903.7u555exrgmglo45x@home.ouaza.com>

On 16/11/17 09:39, Raphael Hertzog wrote:
> On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote:
>> Yes, that was added back then due to a regression with the fix for
>> https://security-tracker.debian.org/tracker/CVE-2017-3157
> 
> When you add an entry back for some reason, please document that
> reason... this entry in dla-needed.txt is useless if contributors don't
> know why it sits there.
> 
> I was just assuming that it was affected by vulnerabilities and looked up
> the open CVE.

Well, it's there...

libreoffice (Emilio Pozuelo)
  NOTE: regression update, see:
  NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html

> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157
>>
>> At this point, I'm not sure what the best course of action is:
>> - revert the patch, leaving LO vulnerable to the original problem
>> - leave things as is, with the annoying effect of the regression, but a safe LO
>> - spend more time to try to fix the regression
>>
>> The first option is probably unacceptable. I wonder which one of the other two
>> is better at this point, given that wheezy will be EOL in a few months and that
>> most LTS users at this point are likely for servers.
> 
> Can you point us to the regression report that you got or saw ?
> 
> When I look at the description of the problem, I'm tempted to revert the
> patch because the original problem does not look too severe. It can be
> used to get private data but the information leak is limited to whatever
> can appear in a preview and it requires precise knowledge of the
> location of the user's document that you want to retrieve. And then
> getting someone to open, modify, save a document and send it back to you
> is non-trivial.
> 
> Still this looks bad so it also depends on how annoying the regression is.
> Does it affect all embedded objects ?

Yep, it's bad, though not critical. The regression is annoying and affects some
objects, but not sure if it affects all of them.

>> PS: My apologies for not dealing with this earlier. I looked at it a while ago
>> but couldn't fix it, and then wasn't motivated to look at it further.
> 
> When I read "wasn't motivated to look at it further" I think that you
> should have really put the package back into the queue with the
> appropriate explanations.

I really should have done that, and claimed it back if I found the time and
energy. I have freed it now.

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: About libreoffice CVE
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: About libreoffice CVE
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: About libreoffice CVE
Next by Date: Re: About libreoffice CVE
Previous by thread: Re: About libreoffice CVE
Next by thread: Re: About libreoffice CVE
Index(es):
- Date
- Thread