CVE-2023-6185 (https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185): Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system. CVE-2023-6186 (https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186): LibreOffice supports hyperlinks. In addition to the typical common protocols such as http/https hyperlinks can also have target URLs that can launch built-in macros or dispatch built-in internal commands. In affected version of LibreOffice there are scenarios where these can be executed without warning if the user activates such hyperlinks. In later versions the users's explicit macro execution permissions for the document are now consulted if these non-typical hyperlinks can be executed. The possibility to use these variants of hyperlink targets for floating frames has been removed. The above are also fixed in 7.6.4
Looks like hppa is the only remaining arch in the stablereq, so with no stable libreoffice on hppa, we should be able to proceed.
Oh, actually, we still don't have a fixed -bin...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=284558217afdaaa3cc08cd0bbe33c48e6dee7362 commit 284558217afdaaa3cc08cd0bbe33c48e6dee7362 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-01-07 09:24:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-01-07 09:28:44 +0000 app-office/libreoffice: drop vulnerable 7.5.6.2, 7.5.8.2, 7.5.8.2-r2 Bug: https://bugs.gentoo.org/919894 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-office/libreoffice/Manifest | 4 - ...libreoffice-7.5.8.2-curl-8.3.0-mitigation.patch | 316 ---------- .../files/libreoffice-7.5.8.2-libcmis-0.6.patch | 39 -- app-office/libreoffice/libreoffice-7.5.6.2.ebuild | 661 -------------------- .../libreoffice/libreoffice-7.5.8.2-r2.ebuild | 671 --------------------- app-office/libreoffice/libreoffice-7.5.8.2.ebuild | 664 -------------------- 6 files changed, 2355 deletions(-)
Please stabilize -bin-7.6.4.1 when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1c959b4ec50843bd0d540cefdf8df9667ba86e2 commit f1c959b4ec50843bd0d540cefdf8df9667ba86e2 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-02-20 19:20:36 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-02-20 20:48:15 +0000 app-office/libreoffice-bin: drop 7.5.6.2-r1, 7.5.8.2 Bug: https://bugs.gentoo.org/919894 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-office/libreoffice-bin/Manifest | 24 -- .../libreoffice-bin-7.5.6.2-r1.ebuild | 262 -------------------- .../libreoffice-bin/libreoffice-bin-7.5.8.2.ebuild | 263 --------------------- 3 files changed, 549 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=298891ab7459c571f1ff699a7004c22ee0cb3595 commit 298891ab7459c571f1ff699a7004c22ee0cb3595 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-21 16:46:04 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-21 16:46:28 +0000 [ GLSA 202402-29 ] LibreOffice: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/919894 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-29.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)
