From: Raspbian automatic forward porter Date: Tue, 28 Mar 2023 06:26:51 +0000 (+0100) Subject: Merge version 1:6.1.5-3+rpi1+deb10u7 and 1:6.1.5-3+deb10u8 to produce 1:6.1.5-3+rpi1... X-Git-Tag: archive/raspbian/1%6.1.5-3+rpi1+deb10u8 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=3fd0957b004de7796ec516dd0f9d49908a8d8ea8;p=libreoffice.git Merge version 1:6.1.5-3+rpi1+deb10u7 and 1:6.1.5-3+deb10u8 to produce 1:6.1.5-3+rpi1+deb10u8 --- 39ffc6bbb586198aa4ab0da377ff40073b1b8cbb diff --cc debian/changelog index 2422fdf169a,61a69e63083..68bbc39d8cc --- a/debian/changelog +++ b/debian/changelog @@@ -1,12 -1,53 +1,63 @@@ - libreoffice (1:6.1.5-3+rpi1+deb10u7) buster-staging; urgency=medium ++libreoffice (1:6.1.5-3+rpi1+deb10u8) buster-staging; urgency=medium + + [changes introduced in 1:5.4.0-1+rpi1 by Peter Michael Green] + * Disable pdfium, it fails to build for armv6 + + [changes brought forward from 1:6.0.2-1+rpi2 by Peter Michael Green at Fri, 27 Apr 2018 02:14:18 +0000] + * Disable testsuite. + - -- Raspbian forward porter Tue, 30 Mar 2021 01:27:11 +0000 ++ -- Raspbian forward porter Tue, 28 Mar 2023 06:26:48 +0000 ++ + libreoffice (1:6.1.5-3+deb10u8) buster-security; urgency=medium + + * Add salsa testsuite + * CVE-2022-26307: add Initialization Vectors to password storage. + LibreOffice supports the storage of passwords for web connections in + the user’s configuration database. The stored passwords are encrypted + with a single master key provided by the user. A flaw in LibreOffice + existed where master key was poorly encoded resulting in weakening its + entropy from 128 to 43 bits making the stored passwords vulerable to a + brute force attack if an attacker has access to the users stored + config. + * fix CVE-2022-26306: LibreOffice supports the storage of passwords for + web connections in the user’s configuration database. The stored + passwords are encrypted with a single master key provided by the + user. A flaw in LibreOffice existed where the required initialization + vector for encryption was always the same which weakens the security + of the encryption making them vulnerable if an attacker has access to + the user's configuration data + * CVE-2022-26305: compare authors using Thumbprint + An Improper Certificate Validation vulnerability in LibreOffice + existed where determining if a macro was signed by a trusted author + was done by only matching the serial number and issuer string of the + used certificate with that of a trusted certificate. This is not + sufficient to verify that the macro was actually signed with the + certificate. An adversary could therefore create an arbitrary + certificate with a serial number and an issuer string identical to a + trusted certificate which LibreOffice would present as belonging to + the trusted author, potentially leading to the user to execute + arbitrary code contained in macros improperly trusted. + * CVE-2021-25636: only use X509Data + LibreOffice supports digital signatures of ODF documents and macros + within documents, presenting visual aids that no alteration of the + document occurred since the last signing and that the signature is + valid. An Improper Certificate Validation vulnerability in LibreOffice + allowed an attacker to create a digitally signed ODF document, by + manipulating the documentsignatures.xml or macrosignatures.xml stream + within the document to contain both "X509Data" and "KeyValue" children + of the "KeyInfo" tag, which when opened caused LibreOffice to verify + using the "KeyValue" but to report verification with the unrelated + "X509Data" value. + * CVE-2022-3140: Insufficient validation of "vnd.libreoffice.command" + URI schemes. LibreOffice supports Office URI Schemes to enable browser + integration of LibreOffice with MS SharePoint server. An additional + scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In + the affected versions of LibreOffice links using that scheme could be + constructed to call internal macros with arbitrary arguments. Which + when clicked on, or activated by document events, could result in + arbitrary script execution without warning. + + -- Bastien Roucariès Sat, 25 Mar 2023 10:55:37 +0000 libreoffice (1:6.1.5-3+deb10u7) buster; urgency=medium