Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919894 (CVE-2023-6185, CVE-2023-6186) - <app-office/libreoffice- <app-office/libreoffice-bin- multiple vulnerabilities
Summary: <app-office/libreoffice- <app-office/libreoffice-bin- multiple...
Alias: CVE-2023-6185, CVE-2023-6186
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+]
Keywords: PullRequest
Depends on: 919762 923155
  Show dependency tree
Reported: 2023-12-14 16:10 UTC by Christopher Fore
Modified: 2024-02-21 16:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-12-14 16:10:09 UTC
CVE-2023-6185 (

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

CVE-2023-6186 (

LibreOffice supports hyperlinks. In addition to the typical common protocols such as http/https hyperlinks can also have target URLs that can launch built-in macros or dispatch built-in internal commands. In affected version of LibreOffice there are scenarios where these can be executed without warning if the user activates such hyperlinks. In later versions the users's explicit macro execution permissions for the document are now consulted if these non-typical hyperlinks can be executed. The possibility to use these variants of hyperlink targets for floating frames has been removed.

The above are also fixed in 7.6.4
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:22:50 UTC
Looks like hppa is the only remaining arch in the stablereq, so with no stable libreoffice on hppa, we should be able to proceed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:26:06 UTC
Oh, actually, we still don't have a fixed -bin...
Comment 3 Larry the Git Cow gentoo-dev 2024-01-07 09:29:11 UTC
The bug has been referenced in the following commit(s):

commit 284558217afdaaa3cc08cd0bbe33c48e6dee7362
Author:     Andreas Sturmlechner <>
AuthorDate: 2024-01-07 09:24:50 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2024-01-07 09:28:44 +0000

    app-office/libreoffice: drop vulnerable,,
    Signed-off-by: Andreas Sturmlechner <>

 app-office/libreoffice/Manifest                    |   4 -
 ...libreoffice- | 316 ----------
 .../files/libreoffice-    |  39 --
 app-office/libreoffice/libreoffice-  | 661 --------------------
 .../libreoffice/libreoffice-      | 671 ---------------------
 app-office/libreoffice/libreoffice-  | 664 --------------------
 6 files changed, 2355 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 02:33:31 UTC
Please stabilize -bin- when ready.
Comment 5 Larry the Git Cow gentoo-dev 2024-02-20 20:49:03 UTC
The bug has been referenced in the following commit(s):

commit f1c959b4ec50843bd0d540cefdf8df9667ba86e2
Author:     Andreas Sturmlechner <>
AuthorDate: 2024-02-20 19:20:36 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2024-02-20 20:48:15 +0000

    app-office/libreoffice-bin: drop,
    Signed-off-by: Andreas Sturmlechner <>

 app-office/libreoffice-bin/Manifest                |  24 --
 .../libreoffice-bin-              | 262 --------------------
 .../libreoffice-bin/libreoffice-bin- | 263 ---------------------
 3 files changed, 549 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2024-02-21 16:46:33 UTC
The bug has been referenced in the following commit(s):

commit 298891ab7459c571f1ff699a7004c22ee0cb3595
Author:     GLSAMaker <>
AuthorDate: 2024-02-21 16:46:04 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-02-21 16:46:28 +0000

    [ GLSA 202402-29 ] LibreOffice: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202402-29.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)