Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919894 (CVE-2023-6185, CVE-2023-6186)

Summary: <app-office/libreoffice-7.5.9.2 <app-office/libreoffice-bin-7.6.4.1: multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, asturm, dilfridge, office
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185
See Also: https://github.com/gentoo/gentoo/pull/35450
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 919762, 923155    
Bug Blocks:    

Description Christopher Fore 2023-12-14 16:10:09 UTC 
CVE-2023-6185 (https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185):

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.


CVE-2023-6186 (https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186):

LibreOffice supports hyperlinks. In addition to the typical common protocols such as http/https hyperlinks can also have target URLs that can launch built-in macros or dispatch built-in internal commands. In affected version of LibreOffice there are scenarios where these can be executed without warning if the user activates such hyperlinks. In later versions the users's explicit macro execution permissions for the document are now consulted if these non-typical hyperlinks can be executed. The possibility to use these variants of hyperlink targets for floating frames has been removed.



The above are also fixed in 7.6.4
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:22:50 UTC 
Looks like hppa is the only remaining arch in the stablereq, so with no stable libreoffice on hppa, we should be able to proceed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:26:06 UTC 
Oh, actually, we still don't have a fixed -bin...
Comment 3 Larry the Git Cow gentoo-dev 2024-01-07 09:29:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=284558217afdaaa3cc08cd0bbe33c48e6dee7362

commit 284558217afdaaa3cc08cd0bbe33c48e6dee7362
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-01-07 09:24:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-01-07 09:28:44 +0000

    app-office/libreoffice: drop vulnerable 7.5.6.2, 7.5.8.2, 7.5.8.2-r2
    
    Bug: https://bugs.gentoo.org/919894
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice/Manifest                    |   4 -
 ...libreoffice-7.5.8.2-curl-8.3.0-mitigation.patch | 316 ----------
 .../files/libreoffice-7.5.8.2-libcmis-0.6.patch    |  39 --
 app-office/libreoffice/libreoffice-7.5.6.2.ebuild  | 661 --------------------
 .../libreoffice/libreoffice-7.5.8.2-r2.ebuild      | 671 ---------------------
 app-office/libreoffice/libreoffice-7.5.8.2.ebuild  | 664 --------------------
 6 files changed, 2355 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 02:33:31 UTC 
Please stabilize -bin-7.6.4.1 when ready.
Comment 5 Larry the Git Cow gentoo-dev 2024-02-20 20:49:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1c959b4ec50843bd0d540cefdf8df9667ba86e2

commit f1c959b4ec50843bd0d540cefdf8df9667ba86e2
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-02-20 19:20:36 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-02-20 20:48:15 +0000

    app-office/libreoffice-bin: drop 7.5.6.2-r1, 7.5.8.2
    
    Bug: https://bugs.gentoo.org/919894
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice-bin/Manifest                |  24 --
 .../libreoffice-bin-7.5.6.2-r1.ebuild              | 262 --------------------
 .../libreoffice-bin/libreoffice-bin-7.5.8.2.ebuild | 263 ---------------------
 3 files changed, 549 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2024-02-21 16:46:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=298891ab7459c571f1ff699a7004c22ee0cb3595

commit 298891ab7459c571f1ff699a7004c22ee0cb3595
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-21 16:46:04 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-21 16:46:28 +0000

    [ GLSA 202402-29 ] LibreOffice: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/919894
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-29.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)