From ${URL} : Berlin, August 28, 2014 – The Document Foundation announces LibreOffice 4.3.1, the first minor release of LibreOffice 4.3 “fresh” family, with over 100 fixes (including patches for two CVEs, backported to LibreOffice 4.2.6-secfix, which is also available for download now). All LibreOffice users are invited to update their installation as soon as possible to avoid security issues. This includes users who are running LibreOffice 4.2.6 as originally released on August, 5th 2014. LibreOffice 4.3.1 and LibreOffice 4.2.6 will be shown on stage at the LibreOffice Conference in Bern, from September 3 to September 5, with a large number of sessions about development, community, marketing and migrations. The program of the event is available here: https://conference.libreoffice.org/2014/program. In addition to the sessions in English, there will be a track in German focusing on open source adoptions in governments and enterprises in Switzerland, Germany and Austria: https://conference.libreoffice.org/2014/professional-user-track. People interested in technical details about the release can access the change log here: https://wiki.documentfoundation.org/Releases/4.3.1/RC1 (fixed in RC1) and https://wiki.documentfoundation.org/Releases/4.3.1/RC2 (fixed in RC2). CVEs patched in LibreOffice 4.3.1 and LibreOffice 4.2.6 are CVE-2014-3524 “CSV Command Injection and DDE formulas” and CVE-2014-3575 “Arbitrary File Disclosure using crafted OLE objects”. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-3575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3575): The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.
*** Bug 521852 has been marked as a duplicate of this bug. ***
I've just added 4.2.6.3 to the tree where this is fixed. Let's wait a few days and then stabilize it (including bin packages that still need to be built).
Will call for stabilize on or after Sept 16.
(In reply to Yury German from comment #4) > Will call for stabilize on or after Sept 16. Sounds good. Here's the list of packages to test and stabilize (all amd64 x86): app-office/libreoffice-4.2.6.3 app-office/libreoffice-bin-4.2.6.3 app-office/libreoffice-bin-debug-4.2.6.3 app-office/libreoffice-l10n-4.2.6.3-r1
Arches, please test and mark stable: =app-office/libreoffice-4.2.6.3 =app-office/libreoffice-bin-4.2.6.3 =app-office/libreoffice-bin-debug-4.2.6.3 =app-office/libreoffice-l10n-4.2.6.3-r1 Target Keywords : "amd64 x86" Thank you!
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
All vulnerable versions removed.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
Added to existing GLSA (eafa83859)
This issue was resolved and addressed in GLSA 201603-05 at https://security.gentoo.org/glsa/201603-05 by GLSA coordinator Kristian Fiskerstrand (K_F).