Mageia 8 ( libreoffice-7.4.5.1-1.mga8.src.rpm ) and Mageia 9 ( libreoffice-7.5.2.2-1.mga9.src.rpm )

Thank you for the report.

CVE-2023-0950
This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1. 
Well, for Cauldron at least, we already have version 7.5.2.2, so that is already fixed.
Cannot judge for M8.

CVE-2023-2255
This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3
We do not yet have 7.5.3 in Cauldron, so that needs doing for M9.
Cannot judge for M8.

Assigning to tv who is the main LO packager; CC'ing ns80 who also updates it.
And luigi, who may have to correct the bug somewhere. [I CANNOT get the QA contact field set up, whatever I try]

CC: (none) => lewyssmith, luigiwalser, nicolas.salguero
Component: RPM Packages => Security
Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => thierry.vignaud

You shouldn't have to set the QA contact field manually, that should autofill when the component is changed to Security.

Summary: MGA8 / MGA9 : LibreOffice - CVE-2023-0950, CVE-2023-2255 => libreoffice new security issues CVE-2023-0950 and CVE-2023-2255
Status comment: (none) => Fixed upstream in 7.4.7 and 7.5.3
QA Contact: (none) => security

Upstream advisories:
https://www.libreoffice.org/about-us/security/advisories/cve-2023-0950/
https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/

(In reply to David Walser from comment #3)
> You shouldn't have to set the QA contact field manually, that should
> autofill when the component is changed to Security.
Tanks; good to know!

CC: lewyssmith => (none)

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. (CVE-2023-0950)

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. (CVE-2023-2255)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2255
https://www.libreoffice.org/about-us/security/advisories/cve-2023-0950/
https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/
========================

Updated packages in core/updates_testing:
========================
libreoffice-langpack-ca-7.4.5.1-1.1.mga8
libreoffice-langpack-eu-7.4.5.1-1.1.mga8
libreoffice-langpack-sv-7.4.5.1-1.1.mga8
libreoffice-help-he-7.4.5.1-1.1.mga8
libreoffice-librelogo-7.4.5.1-1.1.mga8
libreoffice-langpack-zh_CN-7.4.5.1-1.1.mga8
libreoffice-kf5-7.4.5.1-1.1.mga8
libreoffice-langpack-gu-7.4.5.1-1.1.mga8
libreoffice-langpack-zh_TW-7.4.5.1-1.1.mga8
libreoffice-langpack-ja-7.4.5.1-1.1.mga8
libreoffice-langpack-sr-7.4.5.1-1.1.mga8
libreoffice-writer-7.4.5.1-1.1.mga8
libreoffice-help-fi-7.4.5.1-1.1.mga8
libreoffice-langpack-ru-7.4.5.1-1.1.mga8
libreoffice-langpack-af-7.4.5.1-1.1.mga8
libreoffice-langpack-fr-7.4.5.1-1.1.mga8
libreoffice-help-ja-7.4.5.1-1.1.mga8
libreoffice-langpack-fi-7.4.5.1-1.1.mga8
libreoffice-langpack-nso-7.4.5.1-1.1.mga8
libreoffice-help-ar-7.4.5.1-1.1.mga8
libreoffice-help-cs-7.4.5.1-1.1.mga8
libreoffice-gtk3-7.4.5.1-1.1.mga8
libreoffice-officebean-7.4.5.1-1.1.mga8
libreoffice-help-uk-7.4.5.1-1.1.mga8
libreoffice-help-it-7.4.5.1-1.1.mga8
libreoffice-core-7.4.5.1-1.1.mga8
libreoffice-help-id-7.4.5.1-1.1.mga8
libreoffice-langpack-zu-7.4.5.1-1.1.mga8
libreoffice-langpack-uk-7.4.5.1-1.1.mga8
libreoffice-postgresql-7.4.5.1-1.1.mga8
libreoffice-langpack-as-7.4.5.1-1.1.mga8
libreoffice-langpack-bg-7.4.5.1-1.1.mga8
libreoffice-graphicfilter-7.4.5.1-1.1.mga8
libreoffice-langpack-ro-7.4.5.1-1.1.mga8
libreoffice-langpack-st-7.4.5.1-1.1.mga8
libreoffice-data-7.4.5.1-1.1.mga8
libreoffice-help-sk-7.4.5.1-1.1.mga8
libreoffice-langpack-dz-7.4.5.1-1.1.mga8
libreoffice-help-eu-7.4.5.1-1.1.mga8
libreoffice-help-lt-7.4.5.1-1.1.mga8
libreoffice-langpack-lt-7.4.5.1-1.1.mga8
libreoffice-langpack-hr-7.4.5.1-1.1.mga8
libreoffice-help-eo-7.4.5.1-1.1.mga8
libreoffice-langpack-ve-7.4.5.1-1.1.mga8
libreoffice-langpack-ss-7.4.5.1-1.1.mga8
libreoffice-help-el-7.4.5.1-1.1.mga8
libreoffice-langpack-nn-7.4.5.1-1.1.mga8
libreoffice-langpack-cy-7.4.5.1-1.1.mga8
libreoffice-langpack-he-7.4.5.1-1.1.mga8
libreoffice-gdb-debug-support-7.4.5.1-1.1.mga8
libreoffice-langpack-ga-7.4.5.1-1.1.mga8
libreoffice-help-hi-7.4.5.1-1.1.mga8
libreoffice-help-ca-7.4.5.1-1.1.mga8
libreoffice-langpack-or-7.4.5.1-1.1.mga8
libreoffice-langpack-it-7.4.5.1-1.1.mga8
libreoffice-help-sl-7.4.5.1-1.1.mga8
libreoffice-langpack-hi-7.4.5.1-1.1.mga8
libreoffice-x11-7.4.5.1-1.1.mga8
libreoffice-calc-7.4.5.1-1.1.mga8
libreoffice-help-tr-7.4.5.1-1.1.mga8
libreoffice-langpack-id-7.4.5.1-1.1.mga8
libreoffice-langpack-el-7.4.5.1-1.1.mga8
libreoffice-help-pt-7.4.5.1-1.1.mga8
libreoffice-xsltfilter-7.4.5.1-1.1.mga8
libreoffice-help-nn-7.4.5.1-1.1.mga8
libreoffice-langpack-de-7.4.5.1-1.1.mga8
libreoffice-langpack-es-7.4.5.1-1.1.mga8
libreoffice-help-hr-7.4.5.1-1.1.mga8
libreoffice-filters-7.4.5.1-1.1.mga8
libreoffice-langpack-si-7.4.5.1-1.1.mga8
libreoffice-langpack-nl-7.4.5.1-1.1.mga8
libreoffice-help-nl-7.4.5.1-1.1.mga8
libreoffice-langpack-pt-7.4.5.1-1.1.mga8
libreoffice-langpack-pt_BR-7.4.5.1-1.1.mga8
libreoffice-help-dz-7.4.5.1-1.1.mga8
libreoffice-help-da-7.4.5.1-1.1.mga8
libreoffice-langpack-ts-7.4.5.1-1.1.mga8
libreoffice-langpack-hu-7.4.5.1-1.1.mga8
libreoffice-langpack-cs-7.4.5.1-1.1.mga8
libreoffice-langpack-pa-7.4.5.1-1.1.mga8
libreoffice-ure-common-7.4.5.1-1.1.mga8
libreoffice-draw-7.4.5.1-1.1.mga8
libreoffice-langpack-gl-7.4.5.1-1.1.mga8
libreofficekit-devel-7.4.5.1-1.1.mga8
libreoffice-help-en-7.4.5.1-1.1.mga8
libreoffice-sdk-doc-7.4.5.1-1.1.mga8
libreoffice-help-gl-7.4.5.1-1.1.mga8
libreoffice-langpack-kn-7.4.5.1-1.1.mga8
libreoffice-emailmerge-7.4.5.1-1.1.mga8
libreoffice-langpack-nr-7.4.5.1-1.1.mga8
libreoffice-langpack-bn-7.4.5.1-1.1.mga8
libreoffice-base-7.4.5.1-1.1.mga8
libreoffice-langpack-ml-7.4.5.1-1.1.mga8
libreoffice-math-7.4.5.1-1.1.mga8
libreoffice-help-zh_TW-7.4.5.1-1.1.mga8
libreoffice-wiki-publisher-7.4.5.1-1.1.mga8
libreoffice-langpack-lv-7.4.5.1-1.1.mga8
libreoffice-glade-7.4.5.1-1.1.mga8
libreoffice-langpack-ko-7.4.5.1-1.1.mga8
libreoffice-help-sv-7.4.5.1-1.1.mga8
libreoffice-pdfimport-7.4.5.1-1.1.mga8
libreoffice-langpack-fy-7.4.5.1-1.1.mga8
libreoffice-help-si-7.4.5.1-1.1.mga8
libreoffice-help-bn-7.4.5.1-1.1.mga8
libreoffice-langpack-ar-7.4.5.1-1.1.mga8
libreoffice-help-de-7.4.5.1-1.1.mga8
libreoffice-sdk-7.4.5.1-1.1.mga8
libreoffice-langpack-tr-7.4.5.1-1.1.mga8
libreoffice-langpack-nb-7.4.5.1-1.1.mga8
libreoffice-langpack-ta-7.4.5.1-1.1.mga8
libreoffice-help-lv-7.4.5.1-1.1.mga8
libreoffice-langpack-eo-7.4.5.1-1.1.mga8
libreoffice-ure-7.4.5.1-1.1.mga8
libreoffice-langpack-da-7.4.5.1-1.1.mga8
libreoffice-help-fr-7.4.5.1-1.1.mga8
libreoffice-langpack-et-7.4.5.1-1.1.mga8
libreoffice-help-et-7.4.5.1-1.1.mga8
libreofficekit-7.4.5.1-1.1.mga8
libreoffice-help-bg-7.4.5.1-1.1.mga8
libreoffice-7.4.5.1-1.1.mga8
libreoffice-help-gu-7.4.5.1-1.1.mga8
libreoffice-help-zh_CN-7.4.5.1-1.1.mga8
libreoffice-langpack-br-7.4.5.1-1.1.mga8
libreoffice-ogltrans-7.4.5.1-1.1.mga8
libreoffice-langpack-mr-7.4.5.1-1.1.mga8
libreoffice-langpack-te-7.4.5.1-1.1.mga8
libreoffice-langpack-fa-7.4.5.1-1.1.mga8
libreoffice-help-nb-7.4.5.1-1.1.mga8
libreoffice-help-ta-7.4.5.1-1.1.mga8
libreoffice-help-pl-7.4.5.1-1.1.mga8
libreoffice-help-es-7.4.5.1-1.1.mga8
libreoffice-langpack-mai-7.4.5.1-1.1.mga8
libreoffice-help-hu-7.4.5.1-1.1.mga8
libreoffice-help-ro-7.4.5.1-1.1.mga8
libreoffice-langpack-sk-7.4.5.1-1.1.mga8
libreoffice-help-ko-7.4.5.1-1.1.mga8
libreoffice-langpack-th-7.4.5.1-1.1.mga8
libreoffice-help-pt_BR-7.4.5.1-1.1.mga8
libreoffice-langpack-tn-7.4.5.1-1.1.mga8
libreoffice-help-ru-7.4.5.1-1.1.mga8
libreoffice-langpack-pl-7.4.5.1-1.1.mga8
libreoffice-impress-7.4.5.1-1.1.mga8
libreoffice-langpack-en-7.4.5.1-1.1.mga8
libreoffice-langpack-xh-7.4.5.1-1.1.mga8
libreoffice-langpack-kk-7.4.5.1-1.1.mga8
libreoffice-langpack-sl-7.4.5.1-1.1.mga8
libreoffice-pyuno-7.4.5.1-1.1.mga8
libreoffice-nlpsolver-7.4.5.1-1.1.mga8
autocorr-ga-7.4.5.1-1.1.mga8
autocorr-zh-7.4.5.1-1.1.mga8
autocorr-ca-7.4.5.1-1.1.mga8
autocorr-sl-7.4.5.1-1.1.mga8
autocorr-dsb-7.4.5.1-1.1.mga8
autocorr-ru-7.4.5.1-1.1.mga8
autocorr-el-7.4.5.1-1.1.mga8
autocorr-ro-7.4.5.1-1.1.mga8
autocorr-af-7.4.5.1-1.1.mga8
autocorr-fi-7.4.5.1-1.1.mga8
autocorr-da-7.4.5.1-1.1.mga8
autocorr-hsb-7.4.5.1-1.1.mga8
autocorr-bg-7.4.5.1-1.1.mga8
autocorr-pt-7.4.5.1-1.1.mga8
autocorr-de-7.4.5.1-1.1.mga8
autocorr-pl-7.4.5.1-1.1.mga8
autocorr-sr-7.4.5.1-1.1.mga8
autocorr-mn-7.4.5.1-1.1.mga8
autocorr-lb-7.4.5.1-1.1.mga8
autocorr-nl-7.4.5.1-1.1.mga8
autocorr-sv-7.4.5.1-1.1.mga8
autocorr-hr-7.4.5.1-1.1.mga8
autocorr-en-7.4.5.1-1.1.mga8
autocorr-fr-7.4.5.1-1.1.mga8
libreoffice-officebean-common-7.4.5.1-1.1.mga8
autocorr-sk-7.4.5.1-1.1.mga8
autocorr-cs-7.4.5.1-1.1.mga8
libreoffice-opensymbol-fonts-7.4.5.1-1.1.mga8
autocorr-vro-7.4.5.1-1.1.mga8
autocorr-tr-7.4.5.1-1.1.mga8
autocorr-is-7.4.5.1-1.1.mga8
autocorr-vi-7.4.5.1-1.1.mga8
autocorr-es-7.4.5.1-1.1.mga8
autocorr-lt-7.4.5.1-1.1.mga8
autocorr-ja-7.4.5.1-1.1.mga8
autocorr-fa-7.4.5.1-1.1.mga8
autocorr-it-7.4.5.1-1.1.mga8
autocorr-hu-7.4.5.1-1.1.mga8
autocorr-ko-7.4.5.1-1.1.mga8


from SRPM:
libreoffice-7.4.5.1-1.1.mga8.src.rpm

Version: Cauldron => 8
Source RPM: (none) => libreoffice-7.4.5.1-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
Status comment: Fixed upstream in 7.4.7 and 7.5.3 => (none)

@Nicolas
Could you plse plse next time sort the list aplhabetically. Thatmakes working with QARepo so much easier..
Remark before installing: there is on my laptop a package libreoffice-7.4.5.1-1 and no libreoffice-7.4.5.1-1.1 in the update, seems strange. Continuing anyway.

CC: (none) => herman.viaene

The following package has to be removed for others to be upgraded:
libreoffice-7.4.5.1-1.mga8.x86_64
 (due to unsatisfied libreoffice-base(x86-64) == 1:7.4.5.1-1.mga8)

I think the mirror you use is not up to date.

The message refers  to that libreoffice-7.4.5.1-1.mga8 for which I overlooked the 1.1.
Make installation complete without further problems. Tested files xlsx, docx, odt, ods, odp, pptx and odb. All OK except for issue bug 31894.
Good enough for me.

Installed and tested without issues.

Tested on a bunch of native and Microsoft Office files. No issues noticed.

Also tested the issue bug 31894 as mentioned in comment 10 by Herman Viaene but was unable to trigger the bug. No idea if I'm doing it wrong since I don't use that LibreOffice application.



System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics.



$ uname -a
Linux jupiter 6.1.27-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Mon May  8 20:42:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep libreoffice | sort
libreoffice-7.4.5.1-1.1.mga8
libreoffice-base-7.4.5.1-1.1.mga8
libreoffice-calc-7.4.5.1-1.1.mga8
libreoffice-core-7.4.5.1-1.1.mga8
libreoffice-data-7.4.5.1-1.1.mga8
libreoffice-draw-7.4.5.1-1.1.mga8
libreoffice-emailmerge-7.4.5.1-1.1.mga8
libreoffice-graphicfilter-7.4.5.1-1.1.mga8
libreoffice-gtk3-7.4.5.1-1.1.mga8
libreoffice-help-pt-7.4.5.1-1.1.mga8
libreoffice-impress-7.4.5.1-1.1.mga8
libreoffice-kf5-7.4.5.1-1.1.mga8
libreoffice-langpack-pt-7.4.5.1-1.1.mga8
libreoffice-math-7.4.5.1-1.1.mga8
libreoffice-ogltrans-7.4.5.1-1.1.mga8
libreoffice-opensymbol-fonts-7.4.5.1-1.1.mga8
libreoffice-pdfimport-7.4.5.1-1.1.mga8
libreoffice-pyuno-7.4.5.1-1.1.mga8
libreoffice-ure-7.4.5.1-1.1.mga8
libreoffice-ure-common-7.4.5.1-1.1.mga8
libreoffice-writer-7.4.5.1-1.1.mga8

@PC LX
To trigger the bug, it"s best to use the emp.odb file as refered in the bug.
Run the report provided and the bug is that the report shows on one page, where there should be page breaks to get 3 pages.

(In reply to Herman Viaene from comment #12)
> @PC LX
> To trigger the bug, it"s best to use the emp.odb file as refered in the bug.
> Run the report provided and the bug is that the report shows on one page,
> where there should be page breaks to get 3 pages.

Bug confirmed as Herman Viaene described (thanks Herman). No other issues noticed and since it is not a regression I vote to OK this update.

No installation issues. Loaded and edited several old Writer, Word, Calc, and Excel documents, with no issues noted.

With no new regressions, I'm giving this an OK, and validating. Advisory in comment 6.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0194.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED