Re: About libreoffice CVE

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: debian-lts@lists.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>
Subject: Re: About libreoffice CVE
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 24 Nov 2017 10:14:20 +0100
Message-id: <[🔎] 20171124091420.kxstunshkmcfrpw3@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>
In-reply-to: <[🔎] 878texui4w.fsf@curie.anarc.at>
References: <[🔎] 20171114154848.fnyxvmiy3o4j26kf@home.ouaza.com> <[🔎] 878texui4w.fsf@curie.anarc.at>

Hi,

On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> >             sal_uInt16 nLevelAnz;
> >             rIn >> nLevelAnz;
> >             if ( nLevelAnz > 5 )
> >             {
> >                 OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 Ebenen! (SJ)" );
> >                 nLevelAnz = 5;
> >             }
> 
> I have taken on the Libreoffice DLA and I looked into this, but I didn't
> notice that check. So I backported the patch anyways. It would have been
> useful to mark CVE-2017-CVE-2017-12607 as N/A in CVE/list to avoid that duplicate
> work... But I'm not sure your analysis is correct - the upstream patch
> for that issue concerns an earlier part of the code:
> 
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1
> 
> namely:
> 
> -                while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
> +                while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
> 
> ... which sits about 100 lines above. Now I didn't check the upstream
> code to see if it has that check we have in wheezy, but it seems it
> won't hurt to add that patch anyways.

It can't sit 100 lines above since it's using the variable that has been
declared in the snipped that I pasted. The code I pasted is an old version
of this current code:

                sal_uInt16 nLevelAnz(0);
                rIn.ReadUInt16(nLevelAnz);

So I think that my analysis is correct.

> ... if we consider LTS users are only for servers, why do we bother
> supporting Libreoffice in the first place? :) It's true it can be used
> headless, but I would think the most common use case is the GUI. The
> fact that someone reported an issue (and I wonder if there's an actual
> bug report in the BTS, anyone?) shows people *are* using it that way.

Definitely, we should support libreoffice for the desktop use case.

> So we should issue a regression update. We can probably do this
> separately than a DLA for CVE-2017-12607 and CVE-2017-12608 though... In
> fact, shouldn't we *always* issue separate DLAs for regression updates?

I think it's fine to fix a regression together with other new security
vulnerabilities.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: About libreoffice CVE
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- About libreoffice CVE
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: About libreoffice CVE
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: ASAN builds and exiv2
Next by Date: Updates to LTS/Development
Previous by thread: Re: About libreoffice CVE
Next by thread: Re: About libreoffice CVE
Index(es):
- Date
- Thread