How to check that CVE-2018-6871 is fixed?

classic Classic list List threaded Threaded
7 messages Options
Paul Menzel Paul Menzel
Reply | Threaded
Open this post in threaded view
|

How to check that CVE-2018-6871 is fixed?

Dear LibreOffice folks,


So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
attackers to read arbitrary files via =WEBSERVICE calls in a document,
which use the COM.MICROSOFT.WEBSERVICE function.”.

Maybe it’s my English, but “through 6.0.1” sounds to me like, that
version is affected. The vulnerability description page [2] says, that
LibreOffice 6.0.1 is not affected.

> 100% success rate, absolutely silent, affect LibreOffice prior to
> 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
> etc.) and may be embedded in almost all formats supporting by LO.

I was searching the bug tracker [3] for *CVE-2018-6871* and got no
result, and the git commit log also doesn’t mention it. Neither do the
release notes [4][5].

So, how can I find out, in what version that vulnerability was fixed?


Kind regards,

Paul


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
[2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[3] https://bugs.documentfoundation.org/
[4]
https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/
[5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Chris Sherlock Chris Sherlock
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

Fixed in commit:



author Caolán McNamara <[hidden email]> 2018-01-10 14:27:35 +0000
committer Caolán McNamara <[hidden email]> 2018-01-11 21:28:06 +0100
commit 34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)
tree a66fb5e4361698bf1e3e275427f766e7492310e0
parent dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)
limit WEBSERVICE to http[s] protocols
and like excel...

'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE
returns the #VALUE! error value.'

Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3
Tested-by: Jenkins <[hidden email]>
Reviewed-by: Caolán McNamara <[hidden email]>
Tested-by: Caolán McNamara <[hidden email]>

Chris

On 10 Feb 2018, at 10:07 pm, Paul Menzel <[hidden email]> wrote:

Dear LibreOffice folks,


So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
attackers to read arbitrary files via =WEBSERVICE calls in a document,
which use the COM.MICROSOFT.WEBSERVICE function.”.

Maybe it’s my English, but “through 6.0.1” sounds to me like, that
version is affected. The vulnerability description page [2] says, that LibreOffice 6.0.1 is not affected.

100% success rate, absolutely silent, affect LibreOffice prior to
5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
etc.) and may be embedded in almost all formats supporting by LO.

I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, and the git commit log also doesn’t mention it. Neither do the release notes [4][5].

So, how can I find out, in what version that vulnerability was fixed?


Kind regards,

Paul


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
[2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[3] https://bugs.documentfoundation.org/
[4] https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/
[5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice


_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Chris Sherlock Chris Sherlock
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

Sorry, I should also note that we have a security advisories page:


This one is fixed in LibreOffice 5.4.5/6.0.1

Chris

On 11 Feb 2018, at 6:22 pm, Chris Sherlock <[hidden email]> wrote:

Fixed in commit:



author Caolán McNamara <[hidden email]> 2018-01-10 14:27:35 +0000
committer Caolán McNamara <[hidden email]> 2018-01-11 21:28:06 +0100
commit 34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)
tree a66fb5e4361698bf1e3e275427f766e7492310e0
parent dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)
limit WEBSERVICE to http[s] protocols
and like excel...

'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE
returns the #VALUE! error value.'

Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3
Tested-by: Jenkins <[hidden email]>
Reviewed-by: Caolán McNamara <[hidden email]>
Tested-by: Caolán McNamara <[hidden email]>

Chris

On 10 Feb 2018, at 10:07 pm, Paul Menzel <[hidden email]> wrote:

Dear LibreOffice folks,


So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
attackers to read arbitrary files via =WEBSERVICE calls in a document,
which use the COM.MICROSOFT.WEBSERVICE function.”.

Maybe it’s my English, but “through 6.0.1” sounds to me like, that
version is affected. The vulnerability description page [2] says, that LibreOffice 6.0.1 is not affected.

100% success rate, absolutely silent, affect LibreOffice prior to
5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
etc.) and may be embedded in almost all formats supporting by LO.

I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, and the git commit log also doesn’t mention it. Neither do the release notes [4][5].

So, how can I find out, in what version that vulnerability was fixed?


Kind regards,

Paul


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
[2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[3] https://bugs.documentfoundation.org/
[4] https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/
[5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice



_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Rene Engelhard Rene Engelhard
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

In reply to this post by Paul Menzel
On Sat, Feb 10, 2018 at 12:07:38PM +0100, Paul Menzel wrote:
> Maybe it’s my English, but “through 6.0.1” sounds to me like, that
> version is affected. The vulnerability description page [2] says, that
> LibreOffice 6.0.1 is not affected.

I'd more guess it's that irresponsible disclosure guys english...

> So, how can I find out, in what version that vulnerability was fixed?

As others said: yes, 5.4.5/6.0.1 are fixed.

(And please use CVE-2018-1005, not that guys CVE.. We shouldn't honour
him for this irresponsible disclosure.)

Regards,

Rene
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Chris Sherlock Chris Sherlock
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

CVE-2018-1055 is the CVE we have listed on our security advisories page. 

https://www.libreoffice.org/about-us/security/advisories/

On 11 Feb 2018, at 8:34 pm, Rene Engelhard <[hidden email]> wrote:

On Sat, Feb 10, 2018 at 12:07:38PM +0100, Paul Menzel wrote:
Maybe it’s my English, but “through 6.0.1” sounds to me like, that
version is affected. The vulnerability description page [2] says, that
LibreOffice 6.0.1 is not affected.

I'd more guess it's that irresponsible disclosure guys english...

So, how can I find out, in what version that vulnerability was fixed?

As others said: yes, 5.4.5/6.0.1 are fixed.

(And please use CVE-2018-1005, not that guys CVE.. We shouldn't honour
him for this irresponsible disclosure.)

Regards,

Rene
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice


_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Rene Engelhard Rene Engelhard
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

On Mon, Feb 12, 2018 at 12:32:39AM +1100, Chris Sherlock wrote:
>    CVE-2018-1055 is the CVE we have listed on our security advisories page. 
>    [1]https://www.libreoffice.org/about-us/security/advisories/

Which is my point, but Paul used "the other one".

Regards,

Rene
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Chris Sherlock Chris Sherlock
Reply | Threaded
Open this post in threaded view
|

Re: How to check that CVE-2018-6871 is fixed?

Sorry to be a pain here, but it appears that the canonical CVE identifier is now CVE-2018-6872 as CVE-2018-1055 has been rejected and points to CVE-2018-6872:


Our security advisory list still points to CVE-2018-1055. Should this be updated?

Chris

Sent from my iPhone

On 12 Feb 2018, at 12:50 am, Rene Engelhard <[hidden email]> wrote:

On Mon, Feb 12, 2018 at 12:32:39AM +1100, Chris Sherlock wrote:
  CVE-2018-1055 is the CVE we have listed on our security advisories page. 
  [1]https://www.libreoffice.org/about-us/security/advisories/

Which is my point, but Paul used "the other one".

Regards,

Rene

_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice