GNU bug report logs -
#30414
Libreoffice CVE-2018-6871 [remote read of any local files]
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 10 Feb 2018 18:54:01 UTC
Severity: normal
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sun, 11 Feb 2018 15:34:42 +0000
with message-id <1518363282.185370.1267018608.237C7FC5 <at> webmail.messagingengine.com>
and subject line Re: bug#30414: Libreoffice CVE-2018-6871 [remote read of any local files]
has caused the debbugs.gnu.org bug report #30414,
regarding Libreoffice CVE-2018-6871 [remote read of any local files]
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
30414: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30414
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
We need to fix CVE-2018-6871 in our LibreOffice package. This bug allows
remote attackers to read any file accessible from LibreOffice by
supplying a crafted file to open in LibreOffice.
Apparently the bug is fixed in LibreOffice 5.4.5 or 6.0.1.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
On Sun, Feb 11, 2018, at 3:08 PM, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> >> From a28e82e1e3d480d5edf374cea062536d4c8d6d82 Mon Sep 17 00:00:00 2001
> >> From: Marius Bakke <mbakke <at> fastmail.com>
> >> Date: Sun, 11 Feb 2018 11:46:27 +0100
> >> Subject: [PATCH] gnu: libreoffice: Update to 5.4.5.1 [CVE-2018-6871].
> >>
> >> * gnu/packages/check.scm (cppunit-1.14): New public variable.
> >> * gnu/packages/libreoffice.scm (xmlsec-src-libreoffice): Remove variable.
> >> (libreoffice): Update to 5.4.5.1.
> >> [native-inputs]: Change CPPUNIT to CPPUNIT-1.14.
> >> [inputs]: Add GPGME and XMLSEC-NSS. Remove XMLSEC-SRC-LIBREOFFICE. Replace
> >> LIBJPEG with LIBJPEG-TURBO.
> >> [arguments]: Remove xmlsec code from PREPARE-SRC-PHASE. Make sure GPGME++
> >> headers are found. Add workaround for <https://bugs.gentoo.org/641812>. Add
> >> "--disable-pdfium" to #:configure-flags.
> >> * gnu/packages/xml.scm (xmlsec-nss): New public variable.
> >
> > The only change I suggest is to remove the obsolete comment at the
> > beginning of libreoffice's native-inputs about the xmlsec tarball.
>
> Good catch. It seems the autoconf and automake inputs are no longer
> required. But I unfortunately spoke too soon earlier, it failed very
> late in the build:
>
> [build CMP] filter/source/xsltdialog/xsltdlg
> ld: cannot find -lltdl
> collect2: error: ld returned 1 exit status
> make[1]: *** [/tmp/guix-build-libreoffice-5.4.5.1.drv-0/
> libreoffice-5.4.5.1/xmlsecurity/Library_xsec_xmlsec.mk:10: /tmp/guix-
> build-libreoffice-5.4.5.1.drv-0/libreoffice-5.4.5.1/instdir/program/
> libxsec_xmlsec.so] Error 1
> make[1]: *** Waiting for unfinished jobs....
> make: *** [Makefile:269: build] Error 2
> phase `build' failed after 2114.1 seconds
>
> I've attached a revised patch that adds libltdl, and removes the
> automake inputs. However, I have to leave now, so could you please
> verify that it works and push? I can provide moral support on #guix if
> nothing else :-)
>
> TIA!
Never mind, it was actually completed by the time I packed up.
I pushed it (and fixed the merge conflict in xml.scm, sorry about that!).
Thanks for staying on top of the never-ending CVE stream :-)
This bug report was last modified 7 years and 186 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.