Upstream has issued advisories today (February 17): https://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/ https://www.libreoffice.org/about-us/security/advisories/cve-2016-0795/ Older versions of LibreOffice are also affected. Ubuntu has issued an advisory for this on February 16: http://www.ubuntu.com/usn/usn-2899-1/ Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/676108/
Fedora now has fixes backported to 4.4.7. Their advisory from February 28: https://lists.fedoraproject.org/pipermail/package-announce/2016-February/178036.html
Pinging Thierry. Could we update LO and the supporting libraries please?
err... We already got libreoffice-4.4.7 in core/updates... Since January... I wrote the advisory one month and half before this ticket was opened... *** This bug has been marked as a duplicate of bug 17454 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE
Sigh... Please read more carefully. Fedora *backported* fixes to 4.4.7 (3 months after updating to 4.4.7). These issues are not fixed.
Status: RESOLVED => REOPENEDResolution: DUPLICATE => (none)
LO submitted
Source RPM: libreoffice-4.4.7.2-1.mga5.src.rpm => libreoffice-4.4.7.2-2.mga5.src.rpm
Thanks! Advisory: ======================== Updated libreoffice packages fix security vulnerabilities: The lwp filter in LibreOffice before 5.0.4 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted LotusWordPro (lwp) document (CVE-2016-0794). LibreOffice before 5.0.5 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted LwpTocSuperLayout record in a LotusWordPro (lwp) document (CVE-2016-0795). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0795 https://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/ https://www.libreoffice.org/about-us/security/advisories/cve-2016-0795/ https://lists.fedoraproject.org/pipermail/package-announce/2016-February/178036.html ======================== Updated packages in core/updates_testing: ========================libreoffice-4.4.7.2-2.mga5 libreoffice-base-4.4.7.2-2.mga5 libreoffice-bsh-4.4.7.2-2.mga5 libreoffice-calc-4.4.7.2-2.mga5 libreoffice-core-4.4.7.2-2.mga5 libreoffice-draw-4.4.7.2-2.mga5 libreoffice-emailmerge-4.4.7.2-2.mga5 libreoffice-filters-4.4.7.2-2.mga5 libreoffice-glade-4.4.7.2-2.mga5 libreoffice-graphicfilter-4.4.7.2-2.mga5 libreoffice-impress-4.4.7.2-2.mga5 libreoffice-java-common-4.4.7.2-2.mga5 libreoffice-kde-4.4.7.2-2.mga5 libreoffice-langpack-af-4.4.7.2-2.mga5 libreoffice-langpack-ar-4.4.7.2-2.mga5 libreoffice-langpack-as-4.4.7.2-2.mga5 libreoffice-langpack-bg-4.4.7.2-2.mga5 libreoffice-langpack-bn-4.4.7.2-2.mga5 libreoffice-langpack-br-4.4.7.2-2.mga5 libreoffice-langpack-ca-4.4.7.2-2.mga5 libreoffice-langpack-cs-4.4.7.2-2.mga5 libreoffice-langpack-cy-4.4.7.2-2.mga5 libreoffice-langpack-da-4.4.7.2-2.mga5 libreoffice-langpack-de-4.4.7.2-2.mga5 libreoffice-langpack-dz-4.4.7.2-2.mga5 libreoffice-langpack-el-4.4.7.2-2.mga5 libreoffice-langpack-en-4.4.7.2-2.mga5 libreoffice-langpack-es-4.4.7.2-2.mga5 libreoffice-langpack-et-4.4.7.2-2.mga5 libreoffice-langpack-eu-4.4.7.2-2.mga5 libreoffice-langpack-fa-4.4.7.2-2.mga5 libreoffice-langpack-fi-4.4.7.2-2.mga5 libreoffice-langpack-fr-4.4.7.2-2.mga5 libreoffice-langpack-ga-4.4.7.2-2.mga5 libreoffice-langpack-gl-4.4.7.2-2.mga5 libreoffice-langpack-gu-4.4.7.2-2.mga5 libreoffice-langpack-he-4.4.7.2-2.mga5 libreoffice-langpack-hi-4.4.7.2-2.mga5 libreoffice-langpack-hr-4.4.7.2-2.mga5 libreoffice-langpack-hu-4.4.7.2-2.mga5 libreoffice-langpack-it-4.4.7.2-2.mga5 libreoffice-langpack-ja-4.4.7.2-2.mga5 libreoffice-langpack-kk-4.4.7.2-2.mga5 libreoffice-langpack-kn-4.4.7.2-2.mga5 libreoffice-langpack-ko-4.4.7.2-2.mga5 libreoffice-langpack-lt-4.4.7.2-2.mga5 libreoffice-langpack-lv-4.4.7.2-2.mga5 libreoffice-langpack-mai-4.4.7.2-2.mga5 libreoffice-langpack-ml-4.4.7.2-2.mga5 libreoffice-langpack-mr-4.4.7.2-2.mga5 libreoffice-langpack-nb-4.4.7.2-2.mga5 libreoffice-langpack-nl-4.4.7.2-2.mga5 libreoffice-langpack-nn-4.4.7.2-2.mga5 libreoffice-langpack-nr-4.4.7.2-2.mga5 libreoffice-langpack-nso-4.4.7.2-2.mga5 libreoffice-langpack-or-4.4.7.2-2.mga5 libreoffice-langpack-pa-4.4.7.2-2.mga5 libreoffice-langpack-pl-4.4.7.2-2.mga5 libreoffice-langpack-pt-4.4.7.2-2.mga5 libreoffice-langpack-pt_BR-4.4.7.2-2.mga5 libreoffice-langpack-ro-4.4.7.2-2.mga5 libreoffice-langpack-ru-4.4.7.2-2.mga5 libreoffice-langpack-si-4.4.7.2-2.mga5 libreoffice-langpack-sk-4.4.7.2-2.mga5 libreoffice-langpack-sl-4.4.7.2-2.mga5 libreoffice-langpack-sr-4.4.7.2-2.mga5 libreoffice-langpack-ss-4.4.7.2-2.mga5 libreoffice-langpack-st-4.4.7.2-2.mga5 libreoffice-langpack-sv-4.4.7.2-2.mga5 libreoffice-langpack-ta-4.4.7.2-2.mga5 libreoffice-langpack-te-4.4.7.2-2.mga5 libreoffice-langpack-th-4.4.7.2-2.mga5 libreoffice-langpack-tn-4.4.7.2-2.mga5 libreoffice-langpack-tr-4.4.7.2-2.mga5 libreoffice-langpack-ts-4.4.7.2-2.mga5 libreoffice-langpack-uk-4.4.7.2-2.mga5 libreoffice-langpack-ve-4.4.7.2-2.mga5 libreoffice-langpack-xh-4.4.7.2-2.mga5 libreoffice-langpack-zh_CN-4.4.7.2-2.mga5 libreoffice-langpack-zh_TW-4.4.7.2-2.mga5 libreoffice-langpack-zu-4.4.7.2-2.mga5 libreoffice-librelogo-4.4.7.2-2.mga5 libreoffice-math-4.4.7.2-2.mga5 libreoffice-nlpsolver-4.4.7.2-2.mga5 libreoffice-officebean-4.4.7.2-2.mga5 libreoffice-ogltrans-4.4.7.2-2.mga5 libreoffice-pdfimport-4.4.7.2-2.mga5 libreoffice-postgresql-4.4.7.2-2.mga5 libreoffice-pyuno-4.4.7.2-2.mga5 libreoffice-rhino-4.4.7.2-2.mga5 libreoffice-sdk-4.4.7.2-2.mga5 libreoffice-sdk-doc-4.4.7.2-2.mga5 libreoffice-ure-4.4.7.2-2.mga5 libreoffice-wiki-publisher-4.4.7.2-2.mga5 libreoffice-writer-4.4.7.2-2.mga5 libreoffice-xsltfilter-4.4.7.2-2.mga5 autocorr-af-4.4.7.2-2.mga5 autocorr-bg-4.4.7.2-2.mga5 autocorr-ca-4.4.7.2-2.mga5 autocorr-cs-4.4.7.2-2.mga5 autocorr-da-4.4.7.2-2.mga5 autocorr-de-4.4.7.2-2.mga5 autocorr-en-4.4.7.2-2.mga5 autocorr-es-4.4.7.2-2.mga5 autocorr-fa-4.4.7.2-2.mga5 autocorr-fi-4.4.7.2-2.mga5 autocorr-fr-4.4.7.2-2.mga5 autocorr-ga-4.4.7.2-2.mga5 autocorr-hr-4.4.7.2-2.mga5 autocorr-hu-4.4.7.2-2.mga5 autocorr-is-4.4.7.2-2.mga5 autocorr-it-4.4.7.2-2.mga5 autocorr-ja-4.4.7.2-2.mga5 autocorr-ko-4.4.7.2-2.mga5 autocorr-lb-4.4.7.2-2.mga5 autocorr-lt-4.4.7.2-2.mga5 autocorr-mn-4.4.7.2-2.mga5 autocorr-nl-4.4.7.2-2.mga5 autocorr-pl-4.4.7.2-2.mga5 autocorr-pt-4.4.7.2-2.mga5 autocorr-ro-4.4.7.2-2.mga5 autocorr-ru-4.4.7.2-2.mga5 autocorr-sk-4.4.7.2-2.mga5 autocorr-sl-4.4.7.2-2.mga5 autocorr-sr-4.4.7.2-2.mga5 autocorr-sv-4.4.7.2-2.mga5 autocorr-tr-4.4.7.2-2.mga5 autocorr-vi-4.4.7.2-2.mga5 autocorr-zh-4.4.7.2-2.mga5 libreoffice-opensymbol-fonts-4.4.7.2-2.mga5 from libreoffice-4.4.7.2-2.mga5.src.rpm
Assignee: thierry.vignaud => qa-bugs
(In reply to David Walser from comment #4) Note that: - 4.4.x is no more supported upstream - but FC22 still support it (until end of June?) So at end of June, we might consider rebasing mga5's LO to 5.0.x
CC: (none) => thierry.vignaudHardware: i586 => All
Yes, an update to 5.0.x would be quite welcome. Hopefully the problem mentioned in Bug 17586 will no longer be an issue.
Hi Thierry, I saw that you updated some of the supporting libraries. Did you want to ship those as part of this update? If so, you'll need to rebuild libreoffice if you want the libwps update to be included, since it's linked against libwps0.3, but the updated one is libwps0.4. Packages built: librevenge0-0.0.4-1.mga5 librevenge-devel-0.0.4-1.mga5 librevenge-doc-0.0.4-1.mga5 libcdr0.1_1-0.1.2-1.mga5 libcdr-devel-0.1.2-1.mga5 libcdr-doc-0.1.2-1.mga5 libcdr-tools-0.1.2-1.mga5 libvisio0.1_1-0.1.5-1.mga5 libvisio-devel-0.1.5-1.mga5 libvisio-doc-0.1.5-1.mga5 libvisio-tools-0.1.5-1.mga5 libwpd-tools-0.10.1-1.mga5 libwpd0.10_10-0.10.1-1.mga5 libwpd-devel-0.10.1-1.mga5 libwps-tools-0.4.3-1.mga5 libwps0.4_4-0.4.3-1.mga5 libwps-devel-0.4.3-1.mga5 libwps-docs-0.4.3-1.mga5 from SRPMS: librevenge-0.0.4-1.mga5.src.rpm libcdr-0.1.2-1.mga5.src.rpm libvisio-0.1.5-1.mga5.src.rpm libwpd-0.10.1-1.mga5.src.rpm libwps-0.4.3-1.mga5.src.rpm
No that's for preparing a future LO-5.0.x
Thanks Thierry. I thought that might be the case.
I tested Writer, Calc, and Impress on Mageia 5 i586 and all work fine.
Whiteboard: (none) => MGA5-32-OK
mga5-64 - running GNOME I uninstalled libreoffice 4.4.7.2-1 completely and then installed 4.4.7.2-2. The following 21 packages are going to be installed: - lib64gladeui1_11-3.8.5-3.mga5.x86_64 - libreoffice-4.4.7.2-2.mga5.x86_64 - libreoffice-base-4.4.7.2-2.mga5.x86_64 - libreoffice-calc-4.4.7.2-2.mga5.x86_64 - libreoffice-core-4.4.7.2-2.mga5.x86_64 - libreoffice-draw-4.4.7.2-2.mga5.x86_64 - libreoffice-emailmerge-4.4.7.2-2.mga5.x86_64 - libreoffice-filters-4.4.7.2-2.mga5.x86_64 - libreoffice-glade-4.4.7.2-2.mga5.x86_64 - libreoffice-graphicfilter-4.4.7.2-2.mga5.x86_64 - libreoffice-impress-4.4.7.2-2.mga5.x86_64 - libreoffice-java-common-4.4.7.2-2.mga5.x86_64 - libreoffice-langpack-en-4.4.7.2-2.mga5.x86_64 - libreoffice-math-4.4.7.2-2.mga5.x86_64 - libreoffice-ogltrans-4.4.7.2-2.mga5.x86_64 - libreoffice-opensymbol-fonts-4.4.7.2-2.mga5.noarch - libreoffice-pdfimport-4.4.7.2-2.mga5.x86_64 - libreoffice-pyuno-4.4.7.2-2.mga5.x86_64 - libreoffice-ure-4.4.7.2-2.mga5.x86_64 - libreoffice-writer-4.4.7.2-2.mga5.x86_64 - libreoffice-xsltfilter-4.4.7.2-2.mga5.x86_64 Tested password protected documents, xlsx, odt, pptx and docx as well as some ods documents. Seems to be working properly.
CC: (none) => brtians1Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0194.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED