ESB-2018.0419.2 - UPDATE [Win][UNIX/Linux][Debian] libreoffice: Access confidential data - Remote with user interaction 2018-02-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0419.2
                        libreoffice security update
                             13 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libreoffice
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6871  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4111

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libreoffice check for an updated version of the software for
         their operating system.

Revision History:  February 13 2018: An update has been released for Debian 8
                   February 12 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4111-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 12, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2018-6871

Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that
missing restrictions in the implementation of the WEBSERVICE function
in LibreOffice could result in the disclosure of arbitrary files
readable by the user who opens a malformed document.

For the oldstable distribution (jessie), this problem has been fixed in
version 1:4.3.3-2+deb8u10

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqCAoEACgkQEMKTtsN8
Tja0gA/+Ib8qDtRzz8YnLktoEl80OfDPjr/7cxUiTxEU3UoDz9FhhIcT2kyBVM9v
UC95mxedDUQmL60EVM1xYs9ACbs0CkX8NNmm4KAbSaVwsoobXZnFi/p6FJyz2KEy
Sm1PJRY1BtkRv/cM5FxqF3AeoQVXaARXh/ibb6akzX801U3ZVXxfkykESygZaOgA
8XWh7JNzA6S2FRupEaGJ2xrGyqIELwE8lV63CWrxdmf3q+FIn0IbM2SpY5vF/Bpj
IesRtLZ1QJ4wzL4/tHanX7fAQ+3+9T2JLAm6klFWcL83VOb5RuDMY4o0hqHVLFk+
ropJ5z6d/9+b1OoKDVUaZFmqOZfX8obKZiUpBaUFuWN9KlsGbAiShm6ILMKzqeDb
5l+2JgpabK6Uv7utkjYsapwsp403w2Ql5vf7bp8M/Rqj92NAq9DSiY2gmkIkxOwU
PlSWm7whDVbY+CHPTu0SbUo3TPuLIstmZeX0U6EeTl3WQwTP8yrgGw/b86fJPBTp
6z1CP7Hwqd4FKl5ZKvBIOomiBqo4IwnokJ4XOkcsz2ijxF4+BB29CeNRZo2rYuz4
aMVHmXegIGKAzJXr356ZRw7cOqbYLHcboF176e+SfLyaeGX9BwR4IrBW8c2FMNrc
5rOJF7BpnFnuVsMA+4RmSMKYNDzV78AI8JNho/pJTHIyk2Z4RJI=
=mTvw
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4111-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 11, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2018-6871

Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that
missing restrictions in the implementation of the WEBSERVICE function
in LibreOffice could result in the disclosure of arbitrary files
readable by the user who opens a malformed document.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.2.7-1+deb9u2.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqAUikACgkQEMKTtsN8
TjbAyg/8C7wZ/90enlE698ZzLgsRJyhgowyZKjWpwQco3P5735krH/u8O1yty9Ou
x+Shn4oY52y7GAK6i2k4IQKudURPIJkSUtbMJP5oBIvoobK3Q1moymp89V7o1mhi
aNsk/K6cmFlWrkQl651C/352UkjOyyH9hiRG1L+ee2XMYr6OmTHVN2s+gGH2f+Vh
CN3kzH/oM7DhHfNo67OEyPGeUxGOULzVjffYzINJqOJH2YONHD5cJ6/39jXms0RZ
QavLVTaKFhP041C1XOYbShnVdMz4bHPIHVq8ObL5F5uK/yk2Q7Se3g8FAm285FmX
0PHqjnBXT+MKpKhcLp4oE4va70DwLb4wGNFOmlmP87ngCsJVAmj2msxygdLFBzuP
5Ubn7C17Df5+e1aHMfc5hNP87DqjKQpT0UA+78YhX18cVr6dkL5saEzFAXEGl/6k
U4VJXRFKFHm3iuqMPSegnoKdV5R/ObenP1HISlQ+wGjz/2AIQHRaHPxJo7EpXMMO
ALT1ibObAhO22i+KSi707VZycX5qLIngEwN0TygR7hC4mj5Uuu+HxiWTD/tHpy9W
x2OfUOhWOpNSyNcf0va9FZIrLcykItyckXv6UwnnEcApqf62C/6YnsQEsABbHxcf
ll4NjUO6J+R295hRQc0DaxtXPRmIyX4OFrKT4kaLp2U2hc4OjOI=
=SiwU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoJ3DYx+lLeg9Ub1AQiQtQ//cDyqH03hvWZqBHBYJbtOWHWNed+PtHMI
w2YJfvFBEoRYNqGhpdbW1ADDftNYu8xZAaoY7pDDdG66W4sVyJrz6RsWe5987UHn
cs3uuq9tUxF0lR4YsXcUHkItJn7IQmFsIvJ26C2kyE8J5cBhZTwwePNjvZaOmK7a
Ax26esChFLWHnX6SXcNbNZgLPRcy1c2dCJ6VBAGDDp6BLCO7ji7mUqzsw9vCGLB2
oCTiGn3h9gqCuHhulf1AZb8r3xBp5UGX8nClCnLS5PD6D2Roq+DsDgrF7a165zso
dtDknidc4BWunrXppSdtjftqtTKR9tkGPb1gI9Z9BIC/ui1GvG3RYdkiUdrbrUAK
nQsdtBUrLBkZWvx3vgRF1NuxhVhq0L9O+wMVXSoVX53lMFmnt6TjQhrnT9M7/H2R
LPzGKBs3Wrb9tl2EMcI7x0oAknKbI2JN+cNqgqjXGdvw//aQjA+TA4Zc/SAj4vF5
ef3ROGW953oZpeqywB1GhRYums234vKRsE119rp4Qi2vpNjKdF7KXP8+gUjHQ/Ls
cw+Ai/cbD1lVl7Z6wlguYScS2wv+D9Z77orzgX/JCq4ZbX9yacpMCx1YC5E6rmOx
8te5YnSBZthRTouLvAERcBlyVOkn9n1O7z2qCzcb5J20euAkkosIbLpVDltrFEgD
6434Lkrbf5E=
=LAcb
-----END PGP SIGNATURE-----

« Back to bulletins