The Document Foundation has issued an advisory yesterday (October 12): https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140 The issue is fixed upstream in 7.4.1 and 7.3.6. Mageia 8 is also affected.
CVE: (none) => CVE-2022-3140CC: (none) => nicolas.salgueroSource RPM: (none) => libreoffice-7.4.0.3-2.mga9.src.rpmStatus comment: (none) => Fixed upstream in 7.4.1 and 7.3.6Whiteboard: (none) => MGA8TOO
Debian has issued an advisory for this on October 12: https://www.debian.org/security/2022/dsa-5252
Assigning to Thierry, who normally deals with LO.
Assignee: bugsquad => thierry.vignaud
For Mageia 8: Updated packages in core/updates_testing: ======================== libreoffice-help-zh_CN-7.3.6.2-1.mga8 libreoffice-help-zh_TW-7.3.6.2-1.mga8 libreoffice-help-de-7.3.6.2-1.mga8 libreoffice-help-it-7.3.6.2-1.mga8 libreoffice-help-es-7.3.6.2-1.mga8 libreoffice-help-fr-7.3.6.2-1.mga8 libreoffice-help-uk-7.3.6.2-1.mga8 libreoffice-help-ru-7.3.6.2-1.mga8 libreoffice-help-ko-7.3.6.2-1.mga8 libreoffice-help-ta-7.3.6.2-1.mga8 libreoffice-help-bn-7.3.6.2-1.mga8 libreoffice-help-ja-7.3.6.2-1.mga8 libreoffice-help-bg-7.3.6.2-1.mga8 libreoffice-help-el-7.3.6.2-1.mga8 libreoffice-help-dz-7.3.6.2-1.mga8 libreoffice-help-ca-7.3.6.2-1.mga8 libreoffice-help-nl-7.3.6.2-1.mga8 libreoffice-help-tr-7.3.6.2-1.mga8 libreoffice-help-hu-7.3.6.2-1.mga8 libreoffice-help-pt_BR-7.3.6.2-1.mga8 libreoffice-help-pt-7.3.6.2-1.mga8 libreoffice-help-eu-7.3.6.2-1.mga8 libreoffice-help-pl-7.3.6.2-1.mga8 libreoffice-help-fi-7.3.6.2-1.mga8 libreoffice-help-da-7.3.6.2-1.mga8 libreoffice-help-lt-7.3.6.2-1.mga8 libreoffice-help-sl-7.3.6.2-1.mga8 libreoffice-help-cs-7.3.6.2-1.mga8 libreoffice-help-hi-7.3.6.2-1.mga8 libreoffice-help-nn-7.3.6.2-1.mga8 libreoffice-help-gl-7.3.6.2-1.mga8 libreoffice-help-sv-7.3.6.2-1.mga8 libreoffice-help-sk-7.3.6.2-1.mga8 libreoffice-help-et-7.3.6.2-1.mga8 libreoffice-help-si-7.3.6.2-1.mga8 libreoffice-help-nb-7.3.6.2-1.mga8 libreoffice-help-eo-7.3.6.2-1.mga8 libreoffice-help-id-7.3.6.2-1.mga8 libreoffice-help-lv-7.3.6.2-1.mga8 libreoffice-help-gu-7.3.6.2-1.mga8 libreoffice-help-hr-7.3.6.2-1.mga8 libreoffice-help-ar-7.3.6.2-1.mga8 libreoffice-help-en-7.3.6.2-1.mga8 libreoffice-help-he-7.3.6.2-1.mga8 libreoffice-help-ro-7.3.6.2-1.mga8 libreoffice-calc-7.3.6.2-1.mga8 libreoffice-base-7.3.6.2-1.mga8 libreoffice-langpack-el-7.3.6.2-1.mga8 libreoffice-langpack-ru-7.3.6.2-1.mga8 libreoffice-langpack-uk-7.3.6.2-1.mga8 libreoffice-ure-7.3.6.2-1.mga8 libreoffice-langpack-bg-7.3.6.2-1.mga8 libreoffice-xsltfilter-7.3.6.2-1.mga8 libreoffice-langpack-sr-7.3.6.2-1.mga8 libreoffice-langpack-fr-7.3.6.2-1.mga8 libreoffice-langpack-hu-7.3.6.2-1.mga8 libreoffice-langpack-de-7.3.6.2-1.mga8 libreoffice-langpack-it-7.3.6.2-1.mga8 libreoffice-langpack-sk-7.3.6.2-1.mga8 libreoffice-langpack-pt_BR-7.3.6.2-1.mga8 libreoffice-langpack-nl-7.3.6.2-1.mga8 libreoffice-langpack-es-7.3.6.2-1.mga8 libreoffice-langpack-pt-7.3.6.2-1.mga8 libreoffice-langpack-cs-7.3.6.2-1.mga8 libreoffice-writer-7.3.6.2-1.mga8 libreoffice-langpack-sl-7.3.6.2-1.mga8 libreoffice-langpack-pl-7.3.6.2-1.mga8 libreoffice-langpack-ca-7.3.6.2-1.mga8 libreoffice-langpack-da-7.3.6.2-1.mga8 libreoffice-langpack-sv-7.3.6.2-1.mga8 libreoffice-langpack-tr-7.3.6.2-1.mga8 libreoffice-langpack-zh_TW-7.3.6.2-1.mga8 libreoffice-langpack-gl-7.3.6.2-1.mga8 libreoffice-langpack-eu-7.3.6.2-1.mga8 libreoffice-langpack-af-7.3.6.2-1.mga8 libreoffice-langpack-ja-7.3.6.2-1.mga8 libreoffice-langpack-cy-7.3.6.2-1.mga8 libreoffice-langpack-id-7.3.6.2-1.mga8 libreoffice-langpack-eo-7.3.6.2-1.mga8 libreoffice-langpack-nn-7.3.6.2-1.mga8 libreoffice-langpack-nb-7.3.6.2-1.mga8 libreoffice-langpack-zh_CN-7.3.6.2-1.mga8 libreoffice-langpack-et-7.3.6.2-1.mga8 libreoffice-langpack-fy-7.3.6.2-1.mga8 libreoffice-sdk-7.3.6.2-1.mga8 libreoffice-langpack-ta-7.3.6.2-1.mga8 libreoffice-wiki-publisher-7.3.6.2-1.mga8 libreoffice-langpack-lt-7.3.6.2-1.mga8 libreoffice-langpack-ko-7.3.6.2-1.mga8 libreoffice-langpack-kk-7.3.6.2-1.mga8 libreoffice-langpack-fi-7.3.6.2-1.mga8 libreoffice-langpack-ar-7.3.6.2-1.mga8 libreoffice-langpack-lv-7.3.6.2-1.mga8 libreoffice-langpack-gu-7.3.6.2-1.mga8 libreoffice-langpack-ga-7.3.6.2-1.mga8 libreoffice-data-7.3.6.2-1.mga8 libreoffice-langpack-hr-7.3.6.2-1.mga8 libreoffice-langpack-or-7.3.6.2-1.mga8 libreoffice-langpack-dz-7.3.6.2-1.mga8 libreoffice-langpack-kn-7.3.6.2-1.mga8 libreoffice-langpack-ro-7.3.6.2-1.mga8 libreoffice-ure-common-7.3.6.2-1.mga8 libreoffice-langpack-ml-7.3.6.2-1.mga8 libreoffice-langpack-mr-7.3.6.2-1.mga8 libreoffice-langpack-th-7.3.6.2-1.mga8 libreoffice-langpack-br-7.3.6.2-1.mga8 libreoffice-langpack-he-7.3.6.2-1.mga8 libreoffice-langpack-bn-7.3.6.2-1.mga8 libreoffice-gtk3-7.3.6.2-1.mga8 libreoffice-langpack-as-7.3.6.2-1.mga8 libreoffice-pyuno-7.3.6.2-1.mga8 libreoffice-langpack-te-7.3.6.2-1.mga8 libreoffice-impress-7.3.6.2-1.mga8 libreoffice-langpack-nso-7.3.6.2-1.mga8 libreoffice-langpack-pa-7.3.6.2-1.mga8 libreoffice-langpack-hi-7.3.6.2-1.mga8 libreoffice-langpack-fa-7.3.6.2-1.mga8 libreoffice-nlpsolver-7.3.6.2-1.mga8 libreoffice-langpack-mai-7.3.6.2-1.mga8 libreoffice-langpack-zu-7.3.6.2-1.mga8 libreoffice-langpack-xh-7.3.6.2-1.mga8 libreoffice-langpack-si-7.3.6.2-1.mga8 libreoffice-opensymbol-fonts-7.3.6.2-1.mga8 libreoffice-ogltrans-7.3.6.2-1.mga8 libreoffice-pdfimport-7.3.6.2-1.mga8 libreoffice-librelogo-7.3.6.2-1.mga8 libreoffice-x11-7.3.6.2-1.mga8 libreoffice-langpack-ve-7.3.6.2-1.mga8 autocorr-ro-7.3.6.2-1.mga8 autocorr-pt-7.3.6.2-1.mga8 libreoffice-kf5-7.3.6.2-1.mga8 libreoffice-postgresql-7.3.6.2-1.mga8 autocorr-fa-7.3.6.2-1.mga8 autocorr-en-7.3.6.2-1.mga8 autocorr-zh-7.3.6.2-1.mga8 libreoffice-graphicfilter-7.3.6.2-1.mga8 autocorr-hu-7.3.6.2-1.mga8 autocorr-nl-7.3.6.2-1.mga8 autocorr-el-7.3.6.2-1.mga8 autocorr-pl-7.3.6.2-1.mga8 autocorr-ko-7.3.6.2-1.mga8 autocorr-tr-7.3.6.2-1.mga8 autocorr-ja-7.3.6.2-1.mga8 autocorr-hr-7.3.6.2-1.mga8 libreoffice-langpack-ss-7.3.6.2-1.mga8 libreoffice-langpack-ts-7.3.6.2-1.mga8 autocorr-da-7.3.6.2-1.mga8 libreoffice-langpack-tn-7.3.6.2-1.mga8 autocorr-sk-7.3.6.2-1.mga8 libreoffice-langpack-nr-7.3.6.2-1.mga8 autocorr-cs-7.3.6.2-1.mga8 autocorr-ca-7.3.6.2-1.mga8 libreoffice-langpack-st-7.3.6.2-1.mga8 autocorr-sl-7.3.6.2-1.mga8 autocorr-es-7.3.6.2-1.mga8 autocorr-ru-7.3.6.2-1.mga8 autocorr-dsb-7.3.6.2-1.mga8 autocorr-hsb-7.3.6.2-1.mga8 autocorr-lt-7.3.6.2-1.mga8 autocorr-fr-7.3.6.2-1.mga8 autocorr-fi-7.3.6.2-1.mga8 autocorr-bg-7.3.6.2-1.mga8 autocorr-de-7.3.6.2-1.mga8 autocorr-it-7.3.6.2-1.mga8 autocorr-sv-7.3.6.2-1.mga8 autocorr-lb-7.3.6.2-1.mga8 autocorr-sr-7.3.6.2-1.mga8 autocorr-vi-7.3.6.2-1.mga8 autocorr-ga-7.3.6.2-1.mga8 autocorr-mn-7.3.6.2-1.mga8 autocorr-is-7.3.6.2-1.mga8 libreoffice-officebean-7.3.6.2-1.mga8 autocorr-af-7.3.6.2-1.mga8 libreoffice-math-7.3.6.2-1.mga8 libreoffice-officebean-common-7.3.6.2-1.mga8 libreoffice-draw-7.3.6.2-1.mga8 libreoffice-glade-7.3.6.2-1.mga8 libreoffice-filters-7.3.6.2-1.mga8 libreoffice-emailmerge-7.3.6.2-1.mga8 libreoffice-7.3.6.2-1.mga8 libreoffice-gdb-debug-support-7.3.6.2-1.mga8 libreoffice-langpack-en-7.3.6.2-1.mga8 libreofficekit-devel-7.3.6.2-1.mga8 autocorr-vro-7.3.6.2-1.mga8 libreofficekit-7.3.6.2-1.mga8 libreoffice-core-7.3.6.2-1.mga8 libreoffice-sdk-doc-7.3.6.2-1.mga8 from SRPM: libreoffice-7.3.6.2-1.mga8.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. (CVE-2022-3140) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3140 https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140 https://www.debian.org/security/2022/dsa-5252
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8Source RPM: libreoffice-7.4.0.3-2.mga9.src.rpm => libreoffice-7.3.5.2-1.mga8.src.rpmStatus comment: Fixed upstream in 7.4.1 and 7.3.6 => (none)Assignee: thierry.vignaud => qa-bugs
MGA8 64 XFCE, Updated with QA repo and rpms: autocorr-fr 7.3.6.2 1.mga8 noarch libreoffice-base 7.3.6.2 1.mga8 x86_64 libreoffice-calc 7.3.6.2 1.mga8 x86_64 libreoffice-core 7.3.6.2 1.mga8 x86_64 libreoffice-data 7.3.6.2 1.mga8 x86_64 libreoffice-draw 7.3.6.2 1.mga8 x86_64 libreoffice-graphicfilter 7.3.6.2 1.mga8 x86_64 libreoffice-gtk3 7.3.6.2 1.mga8 x86_64 libreoffice-help-fr 7.3.6.2 1.mga8 x86_64 libreoffice-impress 7.3.6.2 1.mga8 x86_64 libreoffice-langpack-fr 7.3.6.2 1.mga8 x86_64 libreoffice-math 7.3.6.2 1.mga8 x86_64 libreoffice-ogltrans 7.3.6.2 1.mga8 x86_64 libreoffice-opensymbol-fonts 7.3.6.2 1.mga8 noarch libreoffice-pdfimport 7.3.6.2 1.mga8 x86_64 libreoffice-pyuno 7.3.6.2 1.mga8 x86_64 libreoffice-ure 7.3.6.2 1.mga8 x86_64 libreoffice-ure-common 7.3.6.2 1.mga8 x86_64 libreoffice-writer 7.3.6.2 1.mga8 x86_64 libreoffice-x11 7.3.6.2 1.mga8 x86_64 libreoffice-xsltfilter 7.3.6.2 1.mga8 x86_64 I had a problem moving a maximized window. I ended up with Writer reduced in an odd way. See attached picture. This is a problem that I reproduce in a random way. For the rest I tested Writer it's ok. I just opened and closed the other software of the Libre Office suite.
CC: (none) => guillaume.royer
Created attachment 13432 [details] screen capture comment 5
Attachment 13432 description: screen capture comment 5 (Guygoye) => screen capture comment 5
Upgraded. Noticed the same issue and stretching out the screen resolved the same. Must of been an update that negated our original default non-full screen size.
CC: (none) => brtians1
mga8-64, small test OK Plasma, i7, nvidia-current, 4K screen clean update Swedish localisation Edited spreadsheet and text documents, printed.
CC: (none) => fri
Fedora has issued an advisory for this on October 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TORANVTIWWBH3DNJR4UZATAG67KZOH32/
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Tested odt, ods (with refreshing data from an odb), 245Mb odp, odb application in all aspects I use (tables, queries, forms, reports) all OK.
CC: (none) => herman.viaene
No installation issues. Loaded and altered several documents, including Word and Excel documents, with no issues. With several successful tests, giving this an OK, and validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
Can you confirm the SRPMS in the advisory? During the course of testing, libreoffice was updated again, and libmwaw was added to this update, but nothing was posted here about it.
Keywords: advisory, validated_update => (none)
Advisory in svn now has ... $ cat 30959.adv type: security subject: Updated libreoffice packages fix security vulnerability CVE: - CVE-2022-3140 src: 8: core: - libreoffice-7.3.6.2-1.mga8 - libmwaw-0.3.21-1.mga8 description: | LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. (CVE-2022-3140) references: - https://bugs.mageia.org/show_bug.cgi?id=30959 - https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140 - https://www.debian.org/security/2022/dsa-5252 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TORANVTIWWBH3DNJR4UZATAG67KZOH32/
I had used the rpm list at http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30959/application/0 in qarepo to do my test, but checking back I see that libmwaw was not a part of that at the time, and did not get updated. So, I ran an updated list from the same source in qarepo once again, then went to Mageia Update: The following package is going to be installed: - lib64mwaw0.3_3-0.3.21-1.mga8.x86_64 838KB of additional disk space will be used. 2.8MB of packages will be retrieved. Is it ok to continue? There were no installation issues. According to the description, "libmwaw is a library for import of old Mac documents." I do not have any old Mac documents, so even if I had updated libmwaw for my other test, I would not have tested for that particular feature of Libreoffice. Because this is a critical update, I am inclined to keep the OK based on my previous test and the clean install of the additional package, and to validate this update again. If it does need additional testing on "old Mac documents," someone else will have to do it.
Keywords: (none) => validated_update
Keywords: (none) => advisory
Yeah let's get this pushed. The subsequent libreoffice build failed, but I guess it will be coming soon.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0400.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED