Bug 14918 - libreoffice new security issue CVE-2014-9093
Summary: libreoffice new security issue CVE-2014-9093
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/628120/
Whiteboard:
Keywords:
Depends on: 15188
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-30 18:34 CET by David Walser
Modified: 2015-02-21 19:08 CET (History)
1 user (show)

See Also:
Source RPM: libreoffice-4.1.6.2-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-30 18:34:14 CET
OpenSuSE has issued an advisory on December 29:
http://lists.opensuse.org/opensuse-updates/2014-12/msg00109.html

I had already previously committed the patch to this to Mageia 4 SVN:
http://svnweb.mageia.org/packages/updates/4/libreoffice/current/SPECS/libreoffice.spec?r1=797842&r2=800744

Previous discussion I have seen on this issue said that technically the CVE only applies to OpenOffice and the implications of the issue are less severe in LibreOffice, despite some shared code that allows the same PoC to cause problems.  If I understand correctly, arbitrary code execution is possible with OpenOffice, but it only can cause crashes in LibreOffice.  For many programs, crashes caused by malformed input is considered a security issue, but LibreOffice upstream says they don't consider it as such, as the codebase hasn't been hardended against that, so users shouldn't expect it not to be possible for a malicious file to crash LibreOffice.

I'll hold this update for now until another issue comes up for LO unless someone thinks I should push it.

Note that Fedora 19, who we've synced this package from, is no longer supported.  However, OpenSuSE 13.1 also has the same version, so we can continue to sync future patches from them.  13.1 will be officially supported until around mid-2015, and if the Evergreen project supports the libreoffice package, possibly until the end of 2016, so we should still be in relatively OK shape for supporting this package through Mageia 4's lifecycle.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-30 18:34:26 CET

URL: (none) => http://lwn.net/Vulnerabilities/628120/

Comment 1 Thierry Vignaud 2015-02-02 21:58:28 CET
4.3 update includes it (see bug #15188)

CC: (none) => thierry.vignaud

David Walser 2015-02-03 12:54:27 CET

Depends on: (none) => 15188

Comment 2 David Walser 2015-02-21 19:08:15 CET
Fixed in http://advisories.mageia.org/MGAA-2015-0012.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.