After emailing someone a LibreOffice document, they brought the recent security issue to my attention.
Although I am likely not understanding any of this, and it has more than likely already been addressed, would just like some clarification for my email recipient.
"Debian Security Advisory
DSA-4381-1 libreoffice -- security update"
---------------------
Checked "history.log" for antiX and the patch(ed version?) appears there (Feb 2 - 1:5.2.7-1+deb9u5), however, could not find it in MX17[18].
I believe MX has libreoffice 6.0.1.1. [Build ID: 1:6.0.1-1~bpo9+1](stretch-backports?) and antiX has libreoffice 5.2.7.2 [Build ID:1:5.2.7-1+deb9u5]
Is the MX version unaffected by this vulnerability? Patched by a different method?
Or does LibreOffice need to be updated manually?
Thank you.
===============================
https://www.debian.org/security/2019/dsa-4381
Debian Security Advisory
DSA-4381-1 libreoffice -- security update
Date Reported:
02 Feb 2019
Affected Packages:
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2018-16858.
More information:
Alex Infuehr discovered a directory traversal vulnerability which could result in the execution of Python script code when opening a malformed document.
For the stable distribution (stretch), this problem has been fixed in version 1:5.2.7-1+deb9u5. In addition this update fixes a bug in the validation of signed PDFs; it would display an incomplete status message when dealing with a partial signature.
We recommend that you upgrade your libreoffice packages.
For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice
[Solved] Help With Debian LibreOffice Security Advisory?
[Solved] Help With Debian LibreOffice Security Advisory?
Last edited by rej on Thu Feb 14, 2019 1:12 pm, edited 1 time in total.
Re: Help With Debian LibreOffice Security Advisory?
The version we have in MX is technically but not practically vulnerable. The exploit allows a downloaded document to run python modules already present on the system. The version in MX (unlike later versions) doesn't allow any parameters to be passed, meaning that another exploit would be needed to place code useful to an attacker on the system.
If you are in a multi-user environment you might want to upgrade to the fixed version in stretch-backports. It's currently version 6.1.5-rc1-2. The MX Package Installer makes it easy to install from backports without altering your default repo list.
If you are in a multi-user environment you might want to upgrade to the fixed version in stretch-backports. It's currently version 6.1.5-rc1-2. The MX Package Installer makes it easy to install from backports without altering your default repo list.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Re: Help With Debian LibreOffice Security Advisory?
timkb4cq-
Thanks for the explanation!
Found libreoffice 6.1.5-rc1-2 in the Package installer and don't understand all the packages that would need installing.
Since I am not in a "multi-user environment", think I will leave it as is and consider it safe.
Thanks for the explanation!
Found libreoffice 6.1.5-rc1-2 in the Package installer and don't understand all the packages that would need installing.
Since I am not in a "multi-user environment", think I will leave it as is and consider it safe.