Bug 31964 - libreoffice new security issues CVE-2023-0950 and CVE-2023-2255
Summary: libreoffice new security issues CVE-2023-0950 and CVE-2023-2255
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-05-26 10:02 CEST by psyca
Modified: 2023-06-08 21:36 CEST (History)
7 users (show)

See Also:
Source RPM: libreoffice-7.4.5.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description psyca 2023-05-26 10:02:40 CEST
Description of problem:
Securityissues in Libreoffice

CVE-2023-0950
https://www.suse.com/security/cve/CVE-2023-0950.html
Description
Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1. 

CVE-2023-2255
https://nvd.nist.gov/vuln/detail/CVE-2023-2255
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
Comment 1 psyca 2023-05-26 10:06:23 CEST
Mageia 8 ( libreoffice-7.4.5.1-1.mga8.src.rpm ) and Mageia 9 ( libreoffice-7.5.2.2-1.mga9.src.rpm )
psyca 2023-05-26 10:10:54 CEST

Summary: Libreoffice - CVE-2023-0950, CVE-2023-2255 => MGA8 / MGA9 : LibreOffice - CVE-2023-0950, CVE-2023-2255

Comment 2 Lewis Smith 2023-05-29 21:24:31 CEST
Thank you for the report.

CVE-2023-0950
This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1. 
Well, for Cauldron at least, we already have version 7.5.2.2, so that is already fixed.
Cannot judge for M8.

CVE-2023-2255
This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3
We do not yet have 7.5.3 in Cauldron, so that needs doing for M9.
Cannot judge for M8.

Assigning to tv who is the main LO packager; CC'ing ns80 who also updates it.
And luigi, who may have to correct the bug somewhere. [I CANNOT get the QA contact field set up, whatever I try]

CC: (none) => lewyssmith, luigiwalser, nicolas.salguero
Component: RPM Packages => Security
Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2023-05-29 21:57:02 CEST
You shouldn't have to set the QA contact field manually, that should autofill when the component is changed to Security.

Summary: MGA8 / MGA9 : LibreOffice - CVE-2023-0950, CVE-2023-2255 => libreoffice new security issues CVE-2023-0950 and CVE-2023-2255
Status comment: (none) => Fixed upstream in 7.4.7 and 7.5.3
QA Contact: (none) => security

Comment 5 Lewis Smith 2023-05-30 20:14:06 CEST
(In reply to David Walser from comment #3)
> You shouldn't have to set the QA contact field manually, that should
> autofill when the component is changed to Security.
Tanks; good to know!

CC: lewyssmith => (none)

Comment 6 Nicolas Salguero 2023-05-31 10:21:59 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. (CVE-2023-0950)

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. (CVE-2023-2255)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2255
https://www.libreoffice.org/about-us/security/advisories/cve-2023-0950/
https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/
========================

Updated packages in core/updates_testing:
========================
libreoffice-langpack-ca-7.4.5.1-1.1.mga8
libreoffice-langpack-eu-7.4.5.1-1.1.mga8
libreoffice-langpack-sv-7.4.5.1-1.1.mga8
libreoffice-help-he-7.4.5.1-1.1.mga8
libreoffice-librelogo-7.4.5.1-1.1.mga8
libreoffice-langpack-zh_CN-7.4.5.1-1.1.mga8
libreoffice-kf5-7.4.5.1-1.1.mga8
libreoffice-langpack-gu-7.4.5.1-1.1.mga8
libreoffice-langpack-zh_TW-7.4.5.1-1.1.mga8
libreoffice-langpack-ja-7.4.5.1-1.1.mga8
libreoffice-langpack-sr-7.4.5.1-1.1.mga8
libreoffice-writer-7.4.5.1-1.1.mga8
libreoffice-help-fi-7.4.5.1-1.1.mga8
libreoffice-langpack-ru-7.4.5.1-1.1.mga8
libreoffice-langpack-af-7.4.5.1-1.1.mga8
libreoffice-langpack-fr-7.4.5.1-1.1.mga8
libreoffice-help-ja-7.4.5.1-1.1.mga8
libreoffice-langpack-fi-7.4.5.1-1.1.mga8
libreoffice-langpack-nso-7.4.5.1-1.1.mga8
libreoffice-help-ar-7.4.5.1-1.1.mga8
libreoffice-help-cs-7.4.5.1-1.1.mga8
libreoffice-gtk3-7.4.5.1-1.1.mga8
libreoffice-officebean-7.4.5.1-1.1.mga8
libreoffice-help-uk-7.4.5.1-1.1.mga8
libreoffice-help-it-7.4.5.1-1.1.mga8
libreoffice-core-7.4.5.1-1.1.mga8
libreoffice-help-id-7.4.5.1-1.1.mga8
libreoffice-langpack-zu-7.4.5.1-1.1.mga8
libreoffice-langpack-uk-7.4.5.1-1.1.mga8
libreoffice-postgresql-7.4.5.1-1.1.mga8
libreoffice-langpack-as-7.4.5.1-1.1.mga8
libreoffice-langpack-bg-7.4.5.1-1.1.mga8
libreoffice-graphicfilter-7.4.5.1-1.1.mga8
libreoffice-langpack-ro-7.4.5.1-1.1.mga8
libreoffice-langpack-st-7.4.5.1-1.1.mga8
libreoffice-data-7.4.5.1-1.1.mga8
libreoffice-help-sk-7.4.5.1-1.1.mga8
libreoffice-langpack-dz-7.4.5.1-1.1.mga8
libreoffice-help-eu-7.4.5.1-1.1.mga8
libreoffice-help-lt-7.4.5.1-1.1.mga8
libreoffice-langpack-lt-7.4.5.1-1.1.mga8
libreoffice-langpack-hr-7.4.5.1-1.1.mga8
libreoffice-help-eo-7.4.5.1-1.1.mga8
libreoffice-langpack-ve-7.4.5.1-1.1.mga8
libreoffice-langpack-ss-7.4.5.1-1.1.mga8
libreoffice-help-el-7.4.5.1-1.1.mga8
libreoffice-langpack-nn-7.4.5.1-1.1.mga8
libreoffice-langpack-cy-7.4.5.1-1.1.mga8
libreoffice-langpack-he-7.4.5.1-1.1.mga8
libreoffice-gdb-debug-support-7.4.5.1-1.1.mga8
libreoffice-langpack-ga-7.4.5.1-1.1.mga8
libreoffice-help-hi-7.4.5.1-1.1.mga8
libreoffice-help-ca-7.4.5.1-1.1.mga8
libreoffice-langpack-or-7.4.5.1-1.1.mga8
libreoffice-langpack-it-7.4.5.1-1.1.mga8
libreoffice-help-sl-7.4.5.1-1.1.mga8
libreoffice-langpack-hi-7.4.5.1-1.1.mga8
libreoffice-x11-7.4.5.1-1.1.mga8
libreoffice-calc-7.4.5.1-1.1.mga8
libreoffice-help-tr-7.4.5.1-1.1.mga8
libreoffice-langpack-id-7.4.5.1-1.1.mga8
libreoffice-langpack-el-7.4.5.1-1.1.mga8
libreoffice-help-pt-7.4.5.1-1.1.mga8
libreoffice-xsltfilter-7.4.5.1-1.1.mga8
libreoffice-help-nn-7.4.5.1-1.1.mga8
libreoffice-langpack-de-7.4.5.1-1.1.mga8
libreoffice-langpack-es-7.4.5.1-1.1.mga8
libreoffice-help-hr-7.4.5.1-1.1.mga8
libreoffice-filters-7.4.5.1-1.1.mga8
libreoffice-langpack-si-7.4.5.1-1.1.mga8
libreoffice-langpack-nl-7.4.5.1-1.1.mga8
libreoffice-help-nl-7.4.5.1-1.1.mga8
libreoffice-langpack-pt-7.4.5.1-1.1.mga8
libreoffice-langpack-pt_BR-7.4.5.1-1.1.mga8
libreoffice-help-dz-7.4.5.1-1.1.mga8
libreoffice-help-da-7.4.5.1-1.1.mga8
libreoffice-langpack-ts-7.4.5.1-1.1.mga8
libreoffice-langpack-hu-7.4.5.1-1.1.mga8
libreoffice-langpack-cs-7.4.5.1-1.1.mga8
libreoffice-langpack-pa-7.4.5.1-1.1.mga8
libreoffice-ure-common-7.4.5.1-1.1.mga8
libreoffice-draw-7.4.5.1-1.1.mga8
libreoffice-langpack-gl-7.4.5.1-1.1.mga8
libreofficekit-devel-7.4.5.1-1.1.mga8
libreoffice-help-en-7.4.5.1-1.1.mga8
libreoffice-sdk-doc-7.4.5.1-1.1.mga8
libreoffice-help-gl-7.4.5.1-1.1.mga8
libreoffice-langpack-kn-7.4.5.1-1.1.mga8
libreoffice-emailmerge-7.4.5.1-1.1.mga8
libreoffice-langpack-nr-7.4.5.1-1.1.mga8
libreoffice-langpack-bn-7.4.5.1-1.1.mga8
libreoffice-base-7.4.5.1-1.1.mga8
libreoffice-langpack-ml-7.4.5.1-1.1.mga8
libreoffice-math-7.4.5.1-1.1.mga8
libreoffice-help-zh_TW-7.4.5.1-1.1.mga8
libreoffice-wiki-publisher-7.4.5.1-1.1.mga8
libreoffice-langpack-lv-7.4.5.1-1.1.mga8
libreoffice-glade-7.4.5.1-1.1.mga8
libreoffice-langpack-ko-7.4.5.1-1.1.mga8
libreoffice-help-sv-7.4.5.1-1.1.mga8
libreoffice-pdfimport-7.4.5.1-1.1.mga8
libreoffice-langpack-fy-7.4.5.1-1.1.mga8
libreoffice-help-si-7.4.5.1-1.1.mga8
libreoffice-help-bn-7.4.5.1-1.1.mga8
libreoffice-langpack-ar-7.4.5.1-1.1.mga8
libreoffice-help-de-7.4.5.1-1.1.mga8
libreoffice-sdk-7.4.5.1-1.1.mga8
libreoffice-langpack-tr-7.4.5.1-1.1.mga8
libreoffice-langpack-nb-7.4.5.1-1.1.mga8
libreoffice-langpack-ta-7.4.5.1-1.1.mga8
libreoffice-help-lv-7.4.5.1-1.1.mga8
libreoffice-langpack-eo-7.4.5.1-1.1.mga8
libreoffice-ure-7.4.5.1-1.1.mga8
libreoffice-langpack-da-7.4.5.1-1.1.mga8
libreoffice-help-fr-7.4.5.1-1.1.mga8
libreoffice-langpack-et-7.4.5.1-1.1.mga8
libreoffice-help-et-7.4.5.1-1.1.mga8
libreofficekit-7.4.5.1-1.1.mga8
libreoffice-help-bg-7.4.5.1-1.1.mga8
libreoffice-7.4.5.1-1.1.mga8
libreoffice-help-gu-7.4.5.1-1.1.mga8
libreoffice-help-zh_CN-7.4.5.1-1.1.mga8
libreoffice-langpack-br-7.4.5.1-1.1.mga8
libreoffice-ogltrans-7.4.5.1-1.1.mga8
libreoffice-langpack-mr-7.4.5.1-1.1.mga8
libreoffice-langpack-te-7.4.5.1-1.1.mga8
libreoffice-langpack-fa-7.4.5.1-1.1.mga8
libreoffice-help-nb-7.4.5.1-1.1.mga8
libreoffice-help-ta-7.4.5.1-1.1.mga8
libreoffice-help-pl-7.4.5.1-1.1.mga8
libreoffice-help-es-7.4.5.1-1.1.mga8
libreoffice-langpack-mai-7.4.5.1-1.1.mga8
libreoffice-help-hu-7.4.5.1-1.1.mga8
libreoffice-help-ro-7.4.5.1-1.1.mga8
libreoffice-langpack-sk-7.4.5.1-1.1.mga8
libreoffice-help-ko-7.4.5.1-1.1.mga8
libreoffice-langpack-th-7.4.5.1-1.1.mga8
libreoffice-help-pt_BR-7.4.5.1-1.1.mga8
libreoffice-langpack-tn-7.4.5.1-1.1.mga8
libreoffice-help-ru-7.4.5.1-1.1.mga8
libreoffice-langpack-pl-7.4.5.1-1.1.mga8
libreoffice-impress-7.4.5.1-1.1.mga8
libreoffice-langpack-en-7.4.5.1-1.1.mga8
libreoffice-langpack-xh-7.4.5.1-1.1.mga8
libreoffice-langpack-kk-7.4.5.1-1.1.mga8
libreoffice-langpack-sl-7.4.5.1-1.1.mga8
libreoffice-pyuno-7.4.5.1-1.1.mga8
libreoffice-nlpsolver-7.4.5.1-1.1.mga8
autocorr-ga-7.4.5.1-1.1.mga8
autocorr-zh-7.4.5.1-1.1.mga8
autocorr-ca-7.4.5.1-1.1.mga8
autocorr-sl-7.4.5.1-1.1.mga8
autocorr-dsb-7.4.5.1-1.1.mga8
autocorr-ru-7.4.5.1-1.1.mga8
autocorr-el-7.4.5.1-1.1.mga8
autocorr-ro-7.4.5.1-1.1.mga8
autocorr-af-7.4.5.1-1.1.mga8
autocorr-fi-7.4.5.1-1.1.mga8
autocorr-da-7.4.5.1-1.1.mga8
autocorr-hsb-7.4.5.1-1.1.mga8
autocorr-bg-7.4.5.1-1.1.mga8
autocorr-pt-7.4.5.1-1.1.mga8
autocorr-de-7.4.5.1-1.1.mga8
autocorr-pl-7.4.5.1-1.1.mga8
autocorr-sr-7.4.5.1-1.1.mga8
autocorr-mn-7.4.5.1-1.1.mga8
autocorr-lb-7.4.5.1-1.1.mga8
autocorr-nl-7.4.5.1-1.1.mga8
autocorr-sv-7.4.5.1-1.1.mga8
autocorr-hr-7.4.5.1-1.1.mga8
autocorr-en-7.4.5.1-1.1.mga8
autocorr-fr-7.4.5.1-1.1.mga8
libreoffice-officebean-common-7.4.5.1-1.1.mga8
autocorr-sk-7.4.5.1-1.1.mga8
autocorr-cs-7.4.5.1-1.1.mga8
libreoffice-opensymbol-fonts-7.4.5.1-1.1.mga8
autocorr-vro-7.4.5.1-1.1.mga8
autocorr-tr-7.4.5.1-1.1.mga8
autocorr-is-7.4.5.1-1.1.mga8
autocorr-vi-7.4.5.1-1.1.mga8
autocorr-es-7.4.5.1-1.1.mga8
autocorr-lt-7.4.5.1-1.1.mga8
autocorr-ja-7.4.5.1-1.1.mga8
autocorr-fa-7.4.5.1-1.1.mga8
autocorr-it-7.4.5.1-1.1.mga8
autocorr-hu-7.4.5.1-1.1.mga8
autocorr-ko-7.4.5.1-1.1.mga8


from SRPM:
libreoffice-7.4.5.1-1.1.mga8.src.rpm

Version: Cauldron => 8
Source RPM: (none) => libreoffice-7.4.5.1-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
Status comment: Fixed upstream in 7.4.7 and 7.5.3 => (none)

Comment 7 Herman Viaene 2023-05-31 11:46:55 CEST
@Nicolas
Could you plse plse next time sort the list aplhabetically. Thatmakes working with QARepo so much easier..
Remark before installing: there is on my laptop a package libreoffice-7.4.5.1-1 and no libreoffice-7.4.5.1-1.1 in the update, seems strange. Continuing anyway.

CC: (none) => herman.viaene

Comment 8 Herman Viaene 2023-05-31 11:48:11 CEST
The following package has to be removed for others to be upgraded:
libreoffice-7.4.5.1-1.mga8.x86_64
 (due to unsatisfied libreoffice-base(x86-64) == 1:7.4.5.1-1.mga8)
Comment 9 Nicolas Salguero 2023-05-31 11:52:08 CEST
I think the mirror you use is not up to date.
PC LX 2023-05-31 12:00:35 CEST

CC: (none) => mageia

Comment 10 Herman Viaene 2023-05-31 15:45:19 CEST
The message refers  to that libreoffice-7.4.5.1-1.mga8 for which I overlooked the 1.1.
Make installation complete without further problems. Tested files xlsx, docx, odt, ods, odp, pptx and odb. All OK except for issue bug 31894.
Good enough for me.
Comment 11 PC LX 2023-06-01 10:56:04 CEST
Installed and tested without issues.

Tested on a bunch of native and Microsoft Office files. No issues noticed.

Also tested the issue bug 31894 as mentioned in comment 10 by Herman Viaene but was unable to trigger the bug. No idea if I'm doing it wrong since I don't use that LibreOffice application.



System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics.



$ uname -a
Linux jupiter 6.1.27-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Mon May  8 20:42:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep libreoffice | sort
libreoffice-7.4.5.1-1.1.mga8
libreoffice-base-7.4.5.1-1.1.mga8
libreoffice-calc-7.4.5.1-1.1.mga8
libreoffice-core-7.4.5.1-1.1.mga8
libreoffice-data-7.4.5.1-1.1.mga8
libreoffice-draw-7.4.5.1-1.1.mga8
libreoffice-emailmerge-7.4.5.1-1.1.mga8
libreoffice-graphicfilter-7.4.5.1-1.1.mga8
libreoffice-gtk3-7.4.5.1-1.1.mga8
libreoffice-help-pt-7.4.5.1-1.1.mga8
libreoffice-impress-7.4.5.1-1.1.mga8
libreoffice-kf5-7.4.5.1-1.1.mga8
libreoffice-langpack-pt-7.4.5.1-1.1.mga8
libreoffice-math-7.4.5.1-1.1.mga8
libreoffice-ogltrans-7.4.5.1-1.1.mga8
libreoffice-opensymbol-fonts-7.4.5.1-1.1.mga8
libreoffice-pdfimport-7.4.5.1-1.1.mga8
libreoffice-pyuno-7.4.5.1-1.1.mga8
libreoffice-ure-7.4.5.1-1.1.mga8
libreoffice-ure-common-7.4.5.1-1.1.mga8
libreoffice-writer-7.4.5.1-1.1.mga8
Comment 12 Herman Viaene 2023-06-03 11:17:47 CEST
@PC LX
To trigger the bug, it"s best to use the emp.odb file as refered in the bug.
Run the report provided and the bug is that the report shows on one page, where there should be page breaks to get 3 pages.
Comment 13 PC LX 2023-06-03 13:51:49 CEST
(In reply to Herman Viaene from comment #12)
> @PC LX
> To trigger the bug, it"s best to use the emp.odb file as refered in the bug.
> Run the report provided and the bug is that the report shows on one page,
> where there should be page breaks to get 3 pages.

Bug confirmed as Herman Viaene described (thanks Herman). No other issues noticed and since it is not a regression I vote to OK this update.
Comment 14 Thomas Andrews 2023-06-05 13:59:01 CEST
No installation issues. Loaded and edited several old Writer, Word, Calc, and Excel documents, with no issues noted.

With no new regressions, I'm giving this an OK, and validating. Advisory in comment 6.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-08 19:19:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 15 Mageia Robot 2023-06-08 21:36:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0194.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.