How to check that CVE-2018-6871 is fixed?
chris.sherlock79 at gmail.com
Sun Feb 11 07:24:35 UTC 2018
Sorry, I should also note that we have a security advisories page:
This one is fixed in LibreOffice 5.4.5/6.0.1
> On 11 Feb 2018, at 6:22 pm, Chris Sherlock <chris.sherlock79 at gmail.com> wrote:
> Fixed in commit:
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a <https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a>
>> author Caolán McNamara <caolanm at redhat.com <mailto:caolanm at redhat.com>> 2018-01-10 14:27:35 +0000
>> committer Caolán McNamara <caolanm at redhat.com <mailto:caolanm at redhat.com>> 2018-01-11 21:28:06 +0100
>> commit 34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)
>> tree a66fb5e4361698bf1e3e275427f766e7492310e0
>> parent dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)
>> limit WEBSERVICE to http[s] protocols
>> and like excel...
>> 'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE
>> returns the #VALUE! error value.'
>> Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3
>> Reviewed-on: https://gerrit.libreoffice.org/47709 <https://gerrit.libreoffice.org/47709>
>> Tested-by: Jenkins <ci at libreoffice.org <mailto:ci at libreoffice.org>>
>> Reviewed-by: Caolán McNamara <caolanm at redhat.com <mailto:caolanm at redhat.com>>
>> Tested-by: Caolán McNamara <caolanm at redhat.com <mailto:caolanm at redhat.com>>
>> On 10 Feb 2018, at 10:07 pm, Paul Menzel <pmenzel+libreoffice at molgen.mpg.de <mailto:pmenzel+libreoffice at molgen.mpg.de>> wrote:
>> Dear LibreOffice folks,
>> So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
>> attackers to read arbitrary files via =WEBSERVICE calls in a document,
>> which use the COM.MICROSOFT.WEBSERVICE function.”.
>> Maybe it’s my English, but “through 6.0.1” sounds to me like, that
>> version is affected. The vulnerability description page  says, that LibreOffice 6.0.1 is not affected.
>>> 100% success rate, absolutely silent, affect LibreOffice prior to
>>> 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
>>> etc.) and may be embedded in almost all formats supporting by LO.
>> I was searching the bug tracker  for *CVE-2018-6871* and got no result, and the git commit log also doesn’t mention it. Neither do the release notes .
>> So, how can I find out, in what version that vulnerability was fixed?
>> Kind regards,
>>  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871>
>>  https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure <https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure>
>>  https://bugs.documentfoundation.org/ <https://bugs.documentfoundation.org/>
>>  https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/ <https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/>
>>  https://wiki.documentfoundation.org/Releases/6.0.1/RC1 <https://wiki.documentfoundation.org/Releases/6.0.1/RC1>
>> LibreOffice mailing list
>> LibreOffice at lists.freedesktop.org <mailto:LibreOffice at lists.freedesktop.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LibreOffice