- libreoffice (1:6.1.5-3+rpi1+deb10u7) buster-staging; urgency=medium
++libreoffice (1:6.1.5-3+rpi1+deb10u8) buster-staging; urgency=medium
+
+ [changes introduced in 1:5.4.0-1+rpi1 by Peter Michael Green]
+ * Disable pdfium, it fails to build for armv6
+
+ [changes brought forward from 1:6.0.2-1+rpi2 by Peter Michael Green <plugwash@raspbian.org> at Fri, 27 Apr 2018 02:14:18 +0000]
+ * Disable testsuite.
+
- -- Raspbian forward porter <root@raspbian.org> Tue, 30 Mar 2021 01:27:11 +0000
++ -- Raspbian forward porter <root@raspbian.org> Tue, 28 Mar 2023 06:26:48 +0000
++
+ libreoffice (1:6.1.5-3+deb10u8) buster-security; urgency=medium
+
+ * Add salsa testsuite
+ * CVE-2022-26307: add Initialization Vectors to password storage.
+ LibreOffice supports the storage of passwords for web connections in
+ the user’s configuration database. The stored passwords are encrypted
+ with a single master key provided by the user. A flaw in LibreOffice
+ existed where master key was poorly encoded resulting in weakening its
+ entropy from 128 to 43 bits making the stored passwords vulerable to a
+ brute force attack if an attacker has access to the users stored
+ config.
+ * fix CVE-2022-26306: LibreOffice supports the storage of passwords for
+ web connections in the user’s configuration database. The stored
+ passwords are encrypted with a single master key provided by the
+ user. A flaw in LibreOffice existed where the required initialization
+ vector for encryption was always the same which weakens the security
+ of the encryption making them vulnerable if an attacker has access to
+ the user's configuration data
+ * CVE-2022-26305: compare authors using Thumbprint
+ An Improper Certificate Validation vulnerability in LibreOffice
+ existed where determining if a macro was signed by a trusted author
+ was done by only matching the serial number and issuer string of the
+ used certificate with that of a trusted certificate. This is not
+ sufficient to verify that the macro was actually signed with the
+ certificate. An adversary could therefore create an arbitrary
+ certificate with a serial number and an issuer string identical to a
+ trusted certificate which LibreOffice would present as belonging to
+ the trusted author, potentially leading to the user to execute
+ arbitrary code contained in macros improperly trusted.
+ * CVE-2021-25636: only use X509Data
+ LibreOffice supports digital signatures of ODF documents and macros
+ within documents, presenting visual aids that no alteration of the
+ document occurred since the last signing and that the signature is
+ valid. An Improper Certificate Validation vulnerability in LibreOffice
+ allowed an attacker to create a digitally signed ODF document, by
+ manipulating the documentsignatures.xml or macrosignatures.xml stream
+ within the document to contain both "X509Data" and "KeyValue" children
+ of the "KeyInfo" tag, which when opened caused LibreOffice to verify
+ using the "KeyValue" but to report verification with the unrelated
+ "X509Data" value.
+ * CVE-2022-3140: Insufficient validation of "vnd.libreoffice.command"
+ URI schemes. LibreOffice supports Office URI Schemes to enable browser
+ integration of LibreOffice with MS SharePoint server. An additional
+ scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In
+ the affected versions of LibreOffice links using that scheme could be
+ constructed to call internal macros with arbitrary arguments. Which
+ when clicked on, or activated by document events, could result in
+ arbitrary script execution without warning.
+
+ -- Bastien Roucariès <rouca@debian.org> Sat, 25 Mar 2023 10:55:37 +0000
libreoffice (1:6.1.5-3+deb10u7) buster; urgency=medium
projects / libreoffice.git / commitdiff