LibreOffice recommends: Upgrade to LibO-6.2.5

[Richard]

tl;dr. Upgrade to LibO-6.2.5

This may only be relevant if you are using a version downloaded direct from LibO website;
otherwise,
the recommendation seems to be generalized:
"Prior to 6.2.5 it is possible to construct malicious documents..."
or
dependent on the distribution. (Debian has taken care of theirs). Thanks.

https://www.google.com/url?q=https://ww ... xgKrovw9Kj
================
[tdf-discuss] security related information, CVE-2019-9848, CVE-2019-9849
___________________


CVE-2019-9848: LibreLogo arbitrary script execution

Prior to 6.2.5 it is possible to construct malicious documents which
can execute arbitrary python silently if the LibreLogo script is
installed. LibreLogo is installed by default in the binary builds of
LibreOffice provided by The Document Foundation.

https://www.libreoffice.org/about-us/se ... -2019-9848



CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode'

LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document. A
flaw existed where bullet graphics were omitted from this protection
prior to version 6.2.5. Users of this feature should upgrade to 6.2.5

https://www.libreoffice.org/about-us/se ... -2019-9849

[sunrat]

Security upgrades for these CVEs were posted today on Debian repos for Stretch and Buster. So if your LibreOffice is the Debian version, it should come via normal upgrade.

Debian Security Advisory DSA-4483-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 16, 2019 https://www.debian.org/security/faq

Package : libreoffice
CVE ID : CVE-2019-9848 CVE-2019-9849

Two security issues have been discovered in LibreOffice:

CVE-2019-9848

Nils Emmerich discovered that malicious documents could execute
arbitrary Python code via LibreLogo.

CVE-2019-9849

Matei Badanoiu discovered that the stealth mode did not apply to
bullet graphics.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:5.2.7-1+deb9u9.

For the stable distribution (buster), these problems have been fixed in
version 1:6.1.5-3+deb10u2.

[Stevo]

I see the fixed Buster version has also now been backported to stretch-backports. It seems to me that it would be a good idea to replace the insecure 6.0 version in the MX main repo with the latest debs from stretch-backports.

I seem to remember some users had reservations about an upgrade, though, but can't recall the specifics. Can anyone come up with them?

[JayM]

I searched for Virtualbox and skimmed through the posts going back as far as early March and the only things I've seen were some VB issues that Manyroads was having, and Mikeinsantarosa's VB wouldn't work after switching to one of the newer Liquorix kernels because the VB dkms wasn't installed. I would think that anyone who doesn't want his VB (or any other app) upgraded would have pinned it at the version he wants by now.

The only issue I recall having had whenever VB gets upgraded was that in the guest machine I'd get nag messages that the guest editions were out of date. The guest machine, its video, etc. still worked though, even using the older version of the guest software.

Haha! Not enough coffee. I searched for "virtualbox" instead of "libreoffice". Major brain fart!

I searched for libreoffice and skimmed posts as far back as mid-Frbruary and didn't see anything about anyone not wanting to upgrade. I did see some posts from people who did want the latest version. The only things I recall people wanting to pin at current versions are the kernel and Firefox.

[asqwerth]

I do recall some people saying the new version didn't work well, but I don't know how long ago that was.

[JayM]

FWIW I've been using 6.0.8 for some time and have never had any problems with it, so whatever problems people had with it, they're not systemic but unique to their machines or installations (GPUs, how much system RAM they have, their choice of kernels, their other apps, the particular guest OSes they're running...)

There I go AGAIN, referring to VirtualBox instead of Libre Office. What a day! :lipsrsealed:

[Richard]

I was using the 6.2.4 version from the LibreOffice since it's release without problems for my current use case of mainly Calc, Writer & Draw.

Currently using the 6.2.5 version.

The major user interface change with 6.2 is the NotebookBar; which is, IMHO, an improvement over the old look, more intuitive than Word's and allows switching back to the Classic look while learning the new layout. It took a few days to adapt after many years using the old interface --mainly due to old habits.

[zorzi]

I see the fixed Buster version has also now been backported to stretch-backports. It seems to me that it would be a good idea to replace the insecure 6.0 version in the MX main repo with the latest debs from stretch-backports.

I seem to remember some users had reservations about an upgrade, though, but can't recall the specifics. Can anyone come up with them?

Good idea. I can't remember those objections about upgrade.

[dreamer]

I think the idea to not upgrade LO stems from the same cautious mindset that doesn't want kernel and graphics upgrades. If you use MX Linux or any distro for productivity less updates equal less risk of failure.

In this case I vote for a LO upgrade. The question is: Has anyone installed it from Stretch-backports?

[zorzi]

Sadly, it seems most of the MX test packages never reach main repo. I see there is still a LO 6.1.5 there...

Stevo already mentionned the lack of users feedbacks concerning these packages (before switching to main).

Shouldn't we find a way to increase MX users involvement with testing feedback ?