On 14/11/17 17:02, Moritz Mühlenhoff wrote: > On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote: >> Package: libreoffice >> Claimed-By: Emilio Pozuelo >> Claimed-Date: 2017-05-31 17:29 (166 days ago) > > There's some data error, CVE-2017-12607 and CVE-2017-12608 were only > disclosed on Oct 27.
Yes, that was added back then due to a regression with the fix for https://security-tracker.debian.org/tracker/CVE-2017-3157 The regression causes some objects (e.g. charts) to not be shown, which may be annoying for users but should be safe. Unfortunately, upstream didn't fix this in 3.5 and the code there was quite different, so I had to manually backport the patch. IIRC Rene reviewed at it and it seemed fine and my testing didn't show any problems, but upstream wasn't helpful so I went with it. Looks like Red Hat had the same or a similar regression, fwiw: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157 At this point, I'm not sure what the best course of action is: - revert the patch, leaving LO vulnerable to the original problem - leave things as is, with the annoying effect of the regression, but a safe LO - spend more time to try to fix the regression The first option is probably unacceptable. I wonder which one of the other two is better at this point, given that wheezy will be EOL in a few months and that most LTS users at this point are likely for servers. Thoughts? Emilio PS: My apologies for not dealing with this earlier. I looked at it a while ago but couldn't fix it, and then wasn't motivated to look at it further.
