Re: About libreoffice CVE

To: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org
Cc: Emilio Pozuelo Monfort <pochu@debian.org>
Subject: Re: About libreoffice CVE
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 23 Nov 2017 10:30:55 -0500
Message-id: <[🔎] 878texui4w.fsf@curie.anarc.at>
In-reply-to: <[🔎] 20171114154848.fnyxvmiy3o4j26kf@home.ouaza.com>
References: <[🔎] 20171114154848.fnyxvmiy3o4j26kf@home.ouaza.com>

On 2017-11-14 16:48:48, Raphael Hertzog wrote:
> Hello Emilio,
>
> as the libreoffice entry is the oldest one without update[1] I decided
> to take a look at the issues (even though it's assigned to you).
>
> For CVE-2017-CVE-2017-12607 I believe that wheezy is not affected as the patch
> shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (= 5).
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1
>
> And in the wheezy code, we already have such a check (line 41CVE-2017-12 of
> filter/source/msfilter/svdfppt.cxx):
>
>             sal_uInt16 nLevelAnz;
>             rIn >> nLevelAnz;
>             if ( nLevelAnz > 5 )
>             {
>                 OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 Ebenen! (SJ)" );
>                 nLevelAnz = 5;
>             }

I have taken on the Libreoffice DLA and I looked into this, but I didn't
notice that check. So I backported the patch anyways. It would have been
useful to mark CVE-2017-CVE-2017-12607 as N/A in CVE/list to avoid that duplicate
work... But I'm not sure your analysis is correct - the upstream patch
for that issue concerns an earlier part of the code:

https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1

namely:

-                while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
+                while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)

... which sits about 100 lines above. Now I didn't check the upstream
code to see if it has that check we have in wheezy, but it seems it
won't hurt to add that patch anyways.

Regarding the regression, I'm not sure what to do either - I'll try to
reproduce the issue and see what I can do, although...

On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote:
> At this point, I'm not sure what the best course of action is:
> - revert the patch, leaving LO vulnerable to the original problem
> - leave things as is, with the annoying effect of the regression, but a safe LO
> - spend more time to try to fix the regression
>
> The first option is probably unacceptable. I wonder which one of the other two
> is better at this point, given that wheezy will be EOL in a few months and that
> most LTS users at this point are likely for servers.

... if we consider LTS users are only for servers, why do we bother
supporting Libreoffice in the first place? :) It's true it can be used
headless, but I would think the most common use case is the GUI. The
fact that someone reported an issue (and I wonder if there's an actual
bug report in the BTS, anyone?) shows people *are* using it that way.

So we should issue a regression update. We can probably do this
separately than a DLA for CVE-2017-12607 and CVE-2017-12608 though... In
fact, shouldn't we *always* issue separate DLAs for regression updates?

A.

-- 
Never believe that a few caring people can't change the world. For,
indeed, that's all who ever have.
                        - Margaret Mead

Reply to:

Follow-Ups:
- Re: About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Wheezy update of xrdp?
Next by Date: Re: Accepted openjdk-7 7u151-2.6.11-2~deb7u2 (source amd64 all) into oldoldstable
Previous by thread: Re: About the libreoffice CVE-2017-3157 regression
Next by thread: Re: About libreoffice CVE
Index(es):
- Date
- Thread