Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-FU-2023:3696-1

Опубликовано: 20 сент. 2023
Источник: suse-cvrf

Описание

Feature update for LibreOffice

This update for LibreOffice fixes the following issues:

libreoffice:

  • Version update from 7.3.6.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#PED-1785):
    • For the highlights of changes of version 7.5 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.5
    • For the highlights of changes of version 7.4 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.4
    • Security issues fixed:
      • CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242)
      • CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746)
    • Bug fixes:
      • Fix PPTX shadow effect for table offset (bsc#1204040)
      • Fix ability to set the default tab size for each text object (bsc#1198666)
      • Fix PPTX extra vertical space between different text formats (bsc#1200085)
      • Do not use binutils-gold as the package is unmaintainedd and will be removed in the future (bsc#1210687)
    • Updated bundled dependencies:
      • boost version update from 1_77_0 to 1_80_0
      • curl version update from 7.83.1 to 8.0.1
      • icu4c-data version update from 70_1 to 72_1
      • icu4c version update from 70_1 to 72_1
      • pdfium version update from 4699 to 5408
      • poppler version update from 21.11.0 to 22.12.0
      • poppler-data version update from 0.4.10 to 0.4.11
      • skia version from m97-a7230803d64ae9d44f4e128244480111a3ae967 to m103-b301ff025004c9cd82816c86c547588e6c24b466
    • New build dependencies:
      • fixmath-devel
      • libwebp-devel
      • zlib-devel
      • dragonbox-devel
      • at-spi2-core-devel
      • libtiff-devel

dragonbox:

  • New package at version 1.1.3 (jsc#PED-1785)
    • New dependency for LibreOffice 7.4

fixmath:

  • New package at version 2022.07.20 (jsc#PED-1785)
    • New dependency for LibreOffice 7.4

libmwaw:

  • Version update from 0.3.20 to 0.3.21 (jsc#PED-1785):
    • Add debug code to read some private rsrc data
    • Allow to read some MacWrite which does not have printer informations
    • Add a parser for Scoop files
    • Add a parser for ScriptWriter files
    • Add a parser for ReadySetGo 1-4 files

xmlsec1:

  • Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550):
    • Retired the XMLSec mailing list 'xmlsec@aleksey.com' and the XMLSec Online Signature Verifier.
    • Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use --enable-openssl3-engines configure flag (there will be a lot of deprecation warnings).
    • The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library.
    • Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled -Werror and -pedantic flags on CI builds.
    • Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
    • Support for OpenSSL compiled with OPENSSL_NO_ERR.
    • Full support for LibreSSL 3.5.0 and above
    • Several other small fixes
    • Fix decrypting session key for two recipients
    • Added --privkey-openssl-engine option to enhance openssl engine support
    • Remove MD5 for NSS 3.59 and above
    • Fix PKCS12_parse return code handling
    • Fix OpenSSL lookup
    • xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice
    • Unload error strings in OpenSSL shutdown.
    • Make userData available when executing preExecCallback function
    • Add an option to use secure memset.
    • Enabled XML_PARSE_HUGE for all xml parsers.
    • Various build and tests fixes and improvements.
    • Move remaining private header files away from xmlsec/include/`` folder
  • Other packaging changes:
    • Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass.
    • Pass --disable-md5 to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1

Список пакетов

Image SLES12-SP5-Azure-SAP-BYOS
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-Azure-SAP-On-Demand
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-BYOS
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-On-Demand
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-GCE-SAP-BYOS
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-GCE-SAP-On-Demand
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
libatk-1_0-0-2.28.1-6.5.23
SUSE Linux Enterprise Server 12 SP2-BCL
atk-doc-2.28.1-6.5.23
atk-lang-2.28.1-6.5.23
libatk-1_0-0-2.28.1-6.5.23
libatk-1_0-0-32bit-2.28.1-6.5.23
typelib-1_0-Atk-1_0-2.28.1-6.5.23
SUSE Linux Enterprise Server 12 SP4-ESPOS
atk-doc-2.28.1-6.5.23
atk-lang-2.28.1-6.5.23
libatk-1_0-0-2.28.1-6.5.23
libatk-1_0-0-32bit-2.28.1-6.5.23
libxmlsec1-1-1.2.37-8.6.21
libxmlsec1-gcrypt1-1.2.37-8.6.21
libxmlsec1-gnutls1-1.2.37-8.6.21
libxmlsec1-nss1-1.2.37-8.6.21
libxmlsec1-openssl1-1.2.37-8.6.21
typelib-1_0-Atk-1_0-2.28.1-6.5.23
xmlsec1-1.2.37-8.6.21
SUSE Linux Enterprise Server 12 SP4-LTSS
atk-doc-2.28.1-6.5.23
atk-lang-2.28.1-6.5.23
libatk-1_0-0-2.28.1-6.5.23
libatk-1_0-0-32bit-2.28.1-6.5.23
libxmlsec1-1-1.2.37-8.6.21
libxmlsec1-gcrypt1-1.2.37-8.6.21
libxmlsec1-gnutls1-1.2.37-8.6.21
libxmlsec1-nss1-1.2.37-8.6.21
libxmlsec1-openssl1-1.2.37-8.6.21
typelib-1_0-Atk-1_0-2.28.1-6.5.23
xmlsec1-1.2.37-8.6.21
SUSE Linux Enterprise Server for SAP Applications 12 SP4
atk-doc-2.28.1-6.5.23
atk-lang-2.28.1-6.5.23
libatk-1_0-0-2.28.1-6.5.23
libatk-1_0-0-32bit-2.28.1-6.5.23
libxmlsec1-1-1.2.37-8.6.21
libxmlsec1-gcrypt1-1.2.37-8.6.21
libxmlsec1-gnutls1-1.2.37-8.6.21
libxmlsec1-nss1-1.2.37-8.6.21
libxmlsec1-openssl1-1.2.37-8.6.21
typelib-1_0-Atk-1_0-2.28.1-6.5.23
xmlsec1-1.2.37-8.6.21

Ссылки

Описание

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1.

Затронутые продукты
Image SLES12-SP5-Azure-SAP-BYOS:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-Azure-SAP-On-Demand:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-BYOS:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-On-Demand:libatk-1_0-0-2.28.1-6.5.23
Ссылки

Описание

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

Затронутые продукты
Image SLES12-SP5-Azure-SAP-BYOS:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-Azure-SAP-On-Demand:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-BYOS:libatk-1_0-0-2.28.1-6.5.23
Image SLES12-SP5-EC2-SAP-On-Demand:libatk-1_0-0-2.28.1-6.5.23
Ссылки
Уязвимость SUSE-FU-2023:3696-1