tl;dr. Upgrade to LibO-6.2.5
This may only be relevant if you are using a version downloaded direct from LibO website;
otherwise,
the recommendation seems to be generalized:
"Prior to 6.2.5 it is possible to construct malicious documents..."
or
dependent on the distribution. (Debian has taken care of theirs). Thanks.
https://www.google.com/url?q=https://ww ... xgKrovw9Kj
================
[tdf-discuss] security related information, CVE-2019-9848, CVE-2019-9849
___________________
CVE-2019-9848: LibreLogo arbitrary script execution
Prior to 6.2.5 it is possible to construct malicious documents which
can execute arbitrary python silently if the LibreLogo script is
installed. LibreLogo is installed by default in the binary builds of
LibreOffice provided by The Document Foundation.
https://www.libreoffice.org/about-us/se ... -2019-9848
CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode'
LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document. A
flaw existed where bullet graphics were omitted from this protection
prior to version 6.2.5. Users of this feature should upgrade to 6.2.5
https://www.libreoffice.org/about-us/se ... -2019-9849
LibreOffice recommends: Upgrade to LibO-6.2.5
LibreOffice recommends: Upgrade to LibO-6.2.5
Last edited by Richard on Wed Jul 17, 2019 4:58 am, edited 1 time in total.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
Security upgrades for these CVEs were posted today on Debian repos for Stretch and Buster. So if your LibreOffice is the Debian version, it should come via normal upgrade.
Debian Security Advisory DSA-4483-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 16, 2019 https://www.debian.org/security/faq
Package : libreoffice
CVE ID : CVE-2019-9848 CVE-2019-9849
Two security issues have been discovered in LibreOffice:
CVE-2019-9848
Nils Emmerich discovered that malicious documents could execute
arbitrary Python code via LibreLogo.
CVE-2019-9849
Matei Badanoiu discovered that the stealth mode did not apply to
bullet graphics.
For the oldstable distribution (stretch), these problems have been fixed
in version 1:5.2.7-1+deb9u9.
For the stable distribution (buster), these problems have been fixed in
version 1:6.1.5-3+deb10u2.
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
I see the fixed Buster version has also now been backported to stretch-backports. It seems to me that it would be a good idea to replace the insecure 6.0 version in the MX main repo with the latest debs from stretch-backports.
I seem to remember some users had reservations about an upgrade, though, but can't recall the specifics. Can anyone come up with them?
I seem to remember some users had reservations about an upgrade, though, but can't recall the specifics. Can anyone come up with them?
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
I searched for Virtualbox and skimmed through the posts going back as far as early March and the only things I've seen were some VB issues that Manyroads was having, and Mikeinsantarosa's VB wouldn't work after switching to one of the newer Liquorix kernels because the VB dkms wasn't installed. I would think that anyone who doesn't want his VB (or any other app) upgraded would have pinned it at the version he wants by now.
The only issue I recall having had whenever VB gets upgraded was that in the guest machine I'd get nag messages that the guest editions were out of date. The guest machine, its video, etc. still worked though, even using the older version of the guest software.
Haha! Not enough coffee. I searched for "virtualbox" instead of "libreoffice". Major brain fart!
I searched for libreoffice and skimmed posts as far back as mid-Frbruary and didn't see anything about anyone not wanting to upgrade. I did see some posts from people who did want the latest version. The only things I recall people wanting to pin at current versions are the kernel and Firefox.
The only issue I recall having had whenever VB gets upgraded was that in the guest machine I'd get nag messages that the guest editions were out of date. The guest machine, its video, etc. still worked though, even using the older version of the guest software.
Haha! Not enough coffee. I searched for "virtualbox" instead of "libreoffice". Major brain fart!
I searched for libreoffice and skimmed posts as far back as mid-Frbruary and didn't see anything about anyone not wanting to upgrade. I did see some posts from people who did want the latest version. The only things I recall people wanting to pin at current versions are the kernel and Firefox.
Please read the Forum Rules, How To Ask For Help, How to Break Your System and Don't Break Debian. Always include your full Quick System Info (QSI) with each and every new help request.
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
I do recall some people saying the new version didn't work well, but I don't know how long ago that was.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
FWIW I've been using 6.0.8 for some time and have never had any problems with it, so whatever problems people had with it, they're not systemic but unique to their machines or installations (GPUs, how much system RAM they have, their choice of kernels, their other apps, the particular guest OSes they're running...)
There I go AGAIN, referring to VirtualBox instead of Libre Office. What a day! :lipsrsealed:
There I go AGAIN, referring to VirtualBox instead of Libre Office. What a day! :lipsrsealed:
Last edited by JayM on Thu Jul 18, 2019 1:40 am, edited 1 time in total.
Please read the Forum Rules, How To Ask For Help, How to Break Your System and Don't Break Debian. Always include your full Quick System Info (QSI) with each and every new help request.
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
I was using the 6.2.4 version from the LibreOffice since it's release without problems for my current use case of mainly Calc, Writer & Draw.
Currently using the 6.2.5 version.
The major user interface change with 6.2 is the NotebookBar; which is, IMHO, an improvement over the old look, more intuitive than Word's and allows switching back to the Classic look while learning the new layout. It took a few days to adapt after many years using the old interface --mainly due to old habits.
Currently using the 6.2.5 version.
The major user interface change with 6.2 is the NotebookBar; which is, IMHO, an improvement over the old look, more intuitive than Word's and allows switching back to the Classic look while learning the new layout. It took a few days to adapt after many years using the old interface --mainly due to old habits.
Thinkpad T430 & Dell Latitude E7450, both with MX-21.3.1
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
kernal 5.10.0-26-amd64 x86_64; Xfce-4.18.0; 8 GB RAM
Intel Core i5-3380M, Graphics, Audio, Video; & SSDs.
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
Good idea. I can't remember those objections about upgrade.Stevo wrote: ↑Wed Jul 17, 2019 9:24 pm I see the fixed Buster version has also now been backported to stretch-backports. It seems to me that it would be a good idea to replace the insecure 6.0 version in the MX main repo with the latest debs from stretch-backports.
I seem to remember some users had reservations about an upgrade, though, but can't recall the specifics. Can anyone come up with them?
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
I think the idea to not upgrade LO stems from the same cautious mindset that doesn't want kernel and graphics upgrades. If you use MX Linux or any distro for productivity less updates equal less risk of failure.
In this case I vote for a LO upgrade. The question is: Has anyone installed it from Stretch-backports?
In this case I vote for a LO upgrade. The question is: Has anyone installed it from Stretch-backports?
Re: LibreOffice recommends: Upgrade to LibO-6.2.5
Sadly, it seems most of the MX test packages never reach main repo. I see there is still a LO 6.1.5 there...
Stevo already mentionned the lack of users feedbacks concerning these packages (before switching to main).
Shouldn't we find a way to increase MX users involvement with testing feedback ?
Stevo already mentionned the lack of users feedbacks concerning these packages (before switching to main).
Shouldn't we find a way to increase MX users involvement with testing feedback ?