LMDE Libreoffice severely outdated even with Update Pack 3

Archived topics about LMDE 1 and LMDE 2
Locked
h1onmint

LMDE Libreoffice severely outdated even with Update Pack 3

Post by h1onmint »

Hello,

today The Document Foundation announced:
The Internet, October 4, 2011 - The Document Foundation (TDF) publishes
some details of the security fixes included with the recently released
LibreOffice 3.4.3, and included in the older 3.3.4 version. Following
industry best practice, details of security fixes are withheld until
users have been given time to migrate to the new version.

RedHat security researcher Huzaifa Sidhpurwala identified a memory
corruption vulnerability in the code responsible for loading Microsoft
Word documents in LibreOffice. This flaw could have been used for
nefarious purposes, such as installing viruses, through a
specially-crafted file. The corresponding vulnerability description is
CVE-2011-2713,"Out-of-bounds property read in binary .doc filter".

LibreOffice 3.4.3 also includes various improvements to the loading of
Windows Metafile (.wmf) and Windows Enhanced Metafile (.emf) image
formats that were found through fuzz testing.

LibreOffice developers have developed some additional security patches
and fixes. These are part of a general set of development improvements
which are reflected in the overall quality and stability of the
software. Most LibreOffice 3.4.3 security fixes have been developed by
Caolan McNamara of RedHat and Marc-André Laverdière of Tata Consultancy
Services.

"Working on fuzzing LibreOffice import filters has been a great
experience, and I am glad I could contribute in securing the computing
experience of millions of users," said Marc-André Laverdière, Scientist,
TCS Innovation Labs, Tata Consultancy Services, Ltd. "Working in
cooperation with the TDF development team, we have found and fixed
serious security and crasher bugs."

All users are recommended to upgrade to LibreOffice 3.4.3 as soon as
possible, in order to benefit from the improved security of the office
suite.
Unfortunately, LMDE on its 'latest' repository is still at LibreOffice version 1:3.3.3-4+b1 (testing) vulnerable to the published security flaws, at least with the amd64 architecture. I did hope the long awaited Update Pack 3 would address this issue (it did with numerous others) but no avail. LibreOffice version 3.4.3 is out since one month already, and version 3.3.4 even 2 weeks longer. Given LibreOffice is the major office suite on Mint also, and those security issues finally published, I urgently ask for an update to the current 3.4.3 version a.s.a.p.

H1
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
zerozero

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by zerozero »

UP3 was frozen around aug/30 and LO 3.4.3 migrated to testing in sept/19, so in the next UP it will come through
http://packages.qa.debian.org/libr/libreoffice.html
Christof999
Level 3
Level 3
Posts: 119
Joined: Mon Jun 04, 2007 4:04 pm

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by Christof999 »

So the plan is to just leave a gaping security hole in all our systems because it doesn't correspond with the release cycle? What they heck is the latest security repo for if not for this kind of thing?

This should have been fixed the week it was found, security, like health and safety just isn't something to be lazy about. This concerns me. Is this going to be common Mint practice to leave security holes in our systems for nearly eight weeks? Please let me know, because if that's the case I'm fedora bound. It would not have as many features or packages but really as long as its secure.

I must be missing something, enlightenment me.
Christof999
Level 3
Level 3
Posts: 119
Joined: Mon Jun 04, 2007 4:04 pm

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by Christof999 »

ok sorry if that came off a bit surly, but it just struck me as really odd, considering that there is a chance of viruses or malicious programs being inserted through this avenue.
zerozero

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by zerozero »

Christof,
security is always a concern, but in this situation, i think we all are doing the best we can
the public announcement was made today
http://blog.documentfoundation.org/2011 ... ity-fixes/
and debian has already security patches for lenny and squeeze
http://lwn.net/Articles/461686/
so, all in all, i think we are not bad, even if looking at the description of the risk, i believe is not a wide-spread hole (but a risk is a risk, agreed)
Christof999
Level 3
Level 3
Posts: 119
Joined: Mon Jun 04, 2007 4:04 pm

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by Christof999 »

Fair enough, but my point is that update pack 4 could be 6 weeks away. If Debian stable and the other distros have already patched it (amazing since stable is downstream) why should LMDE users need to wait 4-6 weeks?

These are the issues that the other thread named "LMDE is it worth it?" was talking about. You are probably right, its a small risk. But is it worth taking any risk when there is a completely free alternative that would make me secure now?

LMDE can really overcome these issues, but its gotta be A game material. If Debian Testing wont have a fix for weeks, say screw it and write one of your own. A distro should go beyond simply modifying and repackaging upstream code. In addition having a semi-rolling release does not mean that EVERY item coming through the update manager have to be in an update pack. If a security hole is found, patch it and release it. Its generally accepted that security fixes get a pass for breaking the expected update cycle.
zerozero

Re: LMDE Libreoffice severely outdated even with Update Pack

Post by zerozero »

fair concerns yours and they are in sync with Mint's philosophy
Clem Says:
September 28th, 2011 at 3:24 pm

@Rovanion: We’ve always favored stability over security. If a security issue is important enough that it requires immediate action we can push it ourselves via the LM repos, or even trigger a new Update Pack just to pick it up.
so, ultimately it's also up to us to trigger these updates, imho
Locked

Return to “LMDE Archive”