[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About libreoffice CVE



Hi,

On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> >             sal_uInt16 nLevelAnz;
> >             rIn >> nLevelAnz;
> >             if ( nLevelAnz > 5 )
> >             {
> >                 OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 Ebenen! (SJ)" );
> >                 nLevelAnz = 5;
> >             }
> 
> I have taken on the Libreoffice DLA and I looked into this, but I didn't
> notice that check. So I backported the patch anyways. It would have been
> useful to mark CVE-2017-CVE-2017-12607 as N/A in CVE/list to avoid that duplicate
> work... But I'm not sure your analysis is correct - the upstream patch
> for that issue concerns an earlier part of the code:
> 
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1
> 
> namely:
> 
> -                while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
> +                while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
> 
> ... which sits about 100 lines above. Now I didn't check the upstream
> code to see if it has that check we have in wheezy, but it seems it
> won't hurt to add that patch anyways.

It can't sit 100 lines above since it's using the variable that has been
declared in the snipped that I pasted. The code I pasted is an old version
of this current code:

                sal_uInt16 nLevelAnz(0);
                rIn.ReadUInt16(nLevelAnz);

So I think that my analysis is correct.

> ... if we consider LTS users are only for servers, why do we bother
> supporting Libreoffice in the first place? :) It's true it can be used
> headless, but I would think the most common use case is the GUI. The
> fact that someone reported an issue (and I wonder if there's an actual
> bug report in the BTS, anyone?) shows people *are* using it that way.

Definitely, we should support libreoffice for the desktop use case.

> So we should issue a regression update. We can probably do this
> separately than a DLA for CVE-2017-12607 and CVE-2017-12608 though... In
> fact, shouldn't we *always* issue separate DLAs for regression updates?

I think it's fine to fix a regression together with other new security
vulnerabilities.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


Reply to: