ESC meeting agenda: 2023-09-14 16:00 CEST
Luke Deller
luke at deller.id.au
Fri Sep 15 01:45:47 UTC 2023
On 14/9/23 16:54, Julien Nabet wrote:
> It seems it would be good to have in the scope
> https://bugs.documentfoundation.org/show_bug.cgi?id=157231 concerning
> CVE-2023-4863 (libwebp).
Did anything come of this? I see that 7.6.1 was released without this
fix, and no mention of this issue in the ESC minutes.
For reference, within the corporate environment where I work, the
information security team is scanning all devices and servers for
affected software and working to update or remove it. At the moment
this means that anyone with LibreOffice installed on their Windows or
Mac laptop will have to remove it since no fixed version has been
released yet. I expect that many other large organisations will be
conducting similar activity.
Is there any possibility of making a security release sooner than the
normal schedule for 7.6.2 / 7.5.7?
I understand the risk to LibreOffice users is that if they open a
document containing a malicious webp image then this buffer overflow
vulnerability could possible allow remote code injection, does this
sound accurate?
Incidentally the libreoffice package from Ubuntu appears to be fine
since it is compiled against the system libwebp which has been updated
by Ubuntu already. I think the concern is more for Windows and Mac users.
Thanks,
Luke
More information about the LibreOffice
mailing list