Sorry, I should also note that we have a security advisories page: https://www.libreoffice.org/about-us/security/advisories/ <https://www.libreoffice.org/about-us/security/advisories/>
This one is fixed in LibreOffice 5.4.5/6.0.1 Chris > On 11 Feb 2018, at 6:22 pm, Chris Sherlock <chris.sherloc...@gmail.com> wrote: > > Fixed in commit: > > https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a > > <https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a> > > >> author Caolán McNamara <caol...@redhat.com >> <mailto:caol...@redhat.com>> 2018-01-10 14:27:35 +0000 >> committer Caolán McNamara <caol...@redhat.com >> <mailto:caol...@redhat.com>> 2018-01-11 21:28:06 +0100 >> commit 34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch) >> tree a66fb5e4361698bf1e3e275427f766e7492310e0 >> parent dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff) >> limit WEBSERVICE to http[s] protocols >> and like excel... >> >> 'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE >> returns the #VALUE! error value.' >> >> Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3 >> Reviewed-on: https://gerrit.libreoffice.org/47709 >> <https://gerrit.libreoffice.org/47709> >> Tested-by: Jenkins <c...@libreoffice.org <mailto:c...@libreoffice.org>> >> Reviewed-by: Caolán McNamara <caol...@redhat.com <mailto:caol...@redhat.com>> >> Tested-by: Caolán McNamara <caol...@redhat.com <mailto:caol...@redhat.com>> > > Chris > >> On 10 Feb 2018, at 10:07 pm, Paul Menzel <pmenzel+libreoff...@molgen.mpg.de >> <mailto:pmenzel+libreoff...@molgen.mpg.de>> wrote: >> >> Dear LibreOffice folks, >> >> >> So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote >> attackers to read arbitrary files via =WEBSERVICE calls in a document, >> which use the COM.MICROSOFT.WEBSERVICE function.”. >> >> Maybe it’s my English, but “through 6.0.1” sounds to me like, that >> version is affected. The vulnerability description page [2] says, that >> LibreOffice 6.0.1 is not affected. >> >>> 100% success rate, absolutely silent, affect LibreOffice prior to >>> 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS >>> etc.) and may be embedded in almost all formats supporting by LO. >> >> I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, >> and the git commit log also doesn’t mention it. Neither do the release notes >> [4][5]. >> >> So, how can I find out, in what version that vulnerability was fixed? >> >> >> Kind regards, >> >> Paul >> >> >> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871> >> [2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure >> <https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure> >> [3] https://bugs.documentfoundation.org/ >> <https://bugs.documentfoundation.org/> >> [4] >> https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/ >> >> <https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/> >> [5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1 >> <https://wiki.documentfoundation.org/Releases/6.0.1/RC1> >> _______________________________________________ >> LibreOffice mailing list >> LibreOffice@lists.freedesktop.org <mailto:LibreOffice@lists.freedesktop.org> >> https://lists.freedesktop.org/mailman/listinfo/libreoffice >
_______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
