Hi,
On 2014-11-19 15:11, Rene Engelhard wrote:
On Wed, Nov 19, 2014 at 01:26:54PM +0300, Alexander Cherepanov wrote:
Package: libreoffice
Version: 1:3.5.4+dfsg2-0+deb7u2
Please note that there are several crashes in the version of
LibreOffice shipped with Debian wheezy. Issues are reported
upstream, the list is here:
http://www.openwall.com/lists/oss-security/2014/11/19/3
Aha. Hangs and crashes only
Not sure what you mean. If you talk about master -- maybe. But for 3.5.4
https://bugs.freedesktop.org/show_bug.cgi?id=86449 (and the list linked
above) clearly says "potentially exploitable". Do you disagree with this
assessment and need an actual exploit?
- and then oss-security?
Why not? At least it could serve as additional data for an ongoing
discussion there about fuzzing and software quality.
FWIW, I agree with Michael here.
If you would care about those issues for everyone this simply would mean
that for all reverse-engineered/proprietary formats every bug in this
case would be a security
Yes, that would be a security issue. What is surprising about it? Should
it be any different from, e.g., browsers?
update with all the brimborium and DSA etc. No,
that's not sensible, I think.
How to deal with it is entirely different question. One can think about
various possible solutions -- from adding "Known bugs" section to the
man page stating "Opening a file in LO that you get by email can cause
you to loose the work you are doing in another LO window or your
computer to be pwned." to disabling some input filters by default (and
caring about other filters).
Unless someone proves this has real impact _and has patches_
As of now, some of the mentioned issues are already fixed upstream. Not
sure how easy it would be to backport fixes though.
I am not going to care. This is in a dead-upstream version anyway.
If there are nobody who cares enough about LO to join you supporting it
in Stable perhaps it should be EOLed similar to Iceweasel?
And now seems to be good time to think about it for the next release cycle.
--
Alexander Cherepanov
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
