OpenSuSE has issued an advisory on December 29: http://lists.opensuse.org/opensuse-updates/2014-12/msg00109.html I had already previously committed the patch to this to Mageia 4 SVN: http://svnweb.mageia.org/packages/updates/4/libreoffice/current/SPECS/libreoffice.spec?r1=797842&r2=800744 Previous discussion I have seen on this issue said that technically the CVE only applies to OpenOffice and the implications of the issue are less severe in LibreOffice, despite some shared code that allows the same PoC to cause problems. If I understand correctly, arbitrary code execution is possible with OpenOffice, but it only can cause crashes in LibreOffice. For many programs, crashes caused by malformed input is considered a security issue, but LibreOffice upstream says they don't consider it as such, as the codebase hasn't been hardended against that, so users shouldn't expect it not to be possible for a malicious file to crash LibreOffice. I'll hold this update for now until another issue comes up for LO unless someone thinks I should push it. Note that Fedora 19, who we've synced this package from, is no longer supported. However, OpenSuSE 13.1 also has the same version, so we can continue to sync future patches from them. 13.1 will be officially supported until around mid-2015, and if the Evergreen project supports the libreoffice package, possibly until the end of 2016, so we should still be in relatively OK shape for supporting this package through Mageia 4's lifecycle. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/628120/
4.3 update includes it (see bug #15188)
CC: (none) => thierry.vignaud
Depends on: (none) => 15188
Fixed in http://advisories.mageia.org/MGAA-2015-0012.html
Status: NEW => RESOLVEDResolution: (none) => FIXED