Re: About libreoffice CVE
On 16/11/17 09:39, Raphael Hertzog wrote:
> On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote:
>> Yes, that was added back then due to a regression with the fix for
>> https://security-tracker.debian.org/tracker/CVE-2017-3157
>
> When you add an entry back for some reason, please document that
> reason... this entry in dla-needed.txt is useless if contributors don't
> know why it sits there.
>
> I was just assuming that it was affected by vulnerabilities and looked up
> the open CVE.
Well, it's there...
libreoffice (Emilio Pozuelo)
NOTE: regression update, see:
NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html
>
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157
>>
>> At this point, I'm not sure what the best course of action is:
>> - revert the patch, leaving LO vulnerable to the original problem
>> - leave things as is, with the annoying effect of the regression, but a safe LO
>> - spend more time to try to fix the regression
>>
>> The first option is probably unacceptable. I wonder which one of the other two
>> is better at this point, given that wheezy will be EOL in a few months and that
>> most LTS users at this point are likely for servers.
>
> Can you point us to the regression report that you got or saw ?
>
> When I look at the description of the problem, I'm tempted to revert the
> patch because the original problem does not look too severe. It can be
> used to get private data but the information leak is limited to whatever
> can appear in a preview and it requires precise knowledge of the
> location of the user's document that you want to retrieve. And then
> getting someone to open, modify, save a document and send it back to you
> is non-trivial.
>
> Still this looks bad so it also depends on how annoying the regression is.
> Does it affect all embedded objects ?
Yep, it's bad, though not critical. The regression is annoying and affects some
objects, but not sure if it affects all of them.
>> PS: My apologies for not dealing with this earlier. I looked at it a while ago
>> but couldn't fix it, and then wasn't motivated to look at it further.
>
> When I read "wasn't motivated to look at it further" I think that you
> should have really put the package back into the queue with the
> appropriate explanations.
I really should have done that, and claimed it back if I found the time and
energy. I have freed it now.
Cheers,
Emilio
Reply to: