Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 504934

Summary: <app-office/libreoffice-4.2.3: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
Product: Gentoo Security Reporter: Frank Krömmelbein <kroemmelbein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: office, pacho, scarabeus
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Frank Krömmelbein 2014-03-18 07:13:33 UTC
Release Notes:
https://www.libreoffice.org/download/release-notes/

Reproducible: Always
Comment 1 Frank Krömmelbein 2014-04-10 12:52:29 UTC
LibreOffice 4.2.3

This is the fourth release from the 4.2 branch of LibreOffice which contains new features and program enhancements.
It is the first bugfix release, and remains targeted for early adopters and private power users--for conservative requirements, we refer you to LibreOffice 4.1.5 from the previous series.
Comment 2 Coacher 2014-04-10 14:41:00 UTC
Here's a blog post about 4.2.3 release: http://blog.documentfoundation.org/2014/04/10/libreoffice-4-2-3-is-now-available-for-download/

Please note that this release "adds a security fix for the Heartbleed Bug (CVE-2014-0160)".
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2014-04-13 21:26:33 UTC
As much as I'm tempted to use this bug for a nice fast stabilization, what was done (according to #libreoffice-dev irc response) was updating the bundled openssl version. 
http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-2-3&id=32680faf1f0f5bbc1f1235ba724a8cd6230c3d15

Since we build with --with_system_libs we don't use that version but link to system openssl instead. 

[Scarabeus should better confirm that before we do any action based on this bug, he knows the LO build system way better than I do.]

I'll do the bump anyway, but I doubt we have a security issue.
Comment 4 Tomáš Chvátal (RETIRED) gentoo-dev 2014-04-14 07:52:34 UTC
Not affected by the CVE.
Also I bumped it on Saturday iirc -> closing as fixed.
Comment 5 Agostino Sarubbo gentoo-dev 2014-05-14 15:27:25 UTC
Since it links to system library, the bug is invalid