UbuntuUpdates.org

Package "libreoffice"

Name: libreoffice

Description:

office productivity suite (metapackage)

Latest version: 1:6.4.7-0ubuntu0.20.04.9
Release: focal (20.04)
Level: updates
Repository: universe
Homepage: http://www.libreoffice.org

Links


Download "libreoffice"


Other versions of "libreoffice" in Focal

Repository Area Version
base universe 1:6.4.2-0ubuntu3
base main 1:6.4.2-0ubuntu3
security main 1:6.4.7-0ubuntu0.20.04.9
security universe 1:6.4.7-0ubuntu0.20.04.9
updates main 1:6.4.7-0ubuntu0.20.04.9
backports universe 1:7.4.7-0ubuntu0.22.10.1~bpo20.04.1
backports main 1:7.4.7-0ubuntu0.22.10.1~bpo20.04.1
PPA: LibreOffice 4:7.6.4-0ubuntu0.20.04.1~lo2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:6.4.7-0ubuntu0.20.04.9 2023-12-14 16:07:01 UTC

  libreoffice (1:6.4.7-0ubuntu0.20.04.9) focal-security; urgency=medium

  * SECURITY UPDATE: Improper input validation enabling arbitrary Gstreamer
     pipeline injection
    - debian/patches/CVE-2023-6185.patch: escape url passed to gstreamer
    - CVE-2023-6185
  * SECURITY UPDATE: Link targets allow arbitrary script execution
    - debian/patches/CVE-2023-6186-*.patch: multiple commits to fix
      security issues.
    - CVE-2023-6186
  * patches/CppunitTest_desktop_lib-adjust-asserts-so-this-works.patch:
    - Usage of expired certificates in CppunitTest_desktop_lib:
      adjust asserts so this works again

 -- Rico Tzschichholz <email address hidden> Mon, 11 Dec 2023 15:41:29 +0100

Source diff to previous version
CVE-2023-6185 Improper input validation enabling arbitrary Gstreamer pipeline injection
CVE-2023-6186 Link targets allow arbitrary script execution

Version: 1:6.4.7-0ubuntu0.20.04.8 2023-06-07 09:07:28 UTC

  libreoffice (1:6.4.7-0ubuntu0.20.04.8) focal-security; urgency=high

  * SECURITY UPDATE: Remote documents loaded without prompt via IFrame
    - debian/patches/CVE-2023-2255-*.patch: multiple commits to fix
      security issues.
    - CVE-2023-2255
  * SECURITY UPDATE: Array Index UnderFlow in Calc Formula Parsing
    - debian/patches/CVE-2023-0950.patch: Obtain actual 0-parameter count
      for OR(), AND() and 1-parameter functions
    - CVE-2023-0950

 -- Rico Tzschichholz <email address hidden> Thu, 25 May 2023 22:52:23 +0200

Source diff to previous version
CVE-2023-2255 Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external
CVE-2023-0950 Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a sp

Version: 1:6.4.7-0ubuntu0.20.04.7 2023-04-19 19:07:12 UTC

  libreoffice (1:6.4.7-0ubuntu0.20.04.7) focal-security; urgency=medium

  [ Rico Tzschichholz ]
  * SECURITY UPDATE: Empty entry in Java class path risks arbitrary
    code execution
    - debian/patches/CVE-2022-38745.patch: Avoid unnecessary empty
      -Djava.class.path=.
    - CVE-2022-38745

  [ Rene Engelhard ]
  * debian/patches/hrk-euro.diff: add EUR to .hr i18n;
    add HRK<->EUR conversion rate to Calc and the Euro Wizard
  * debian/patches/hrk-euro-default.diff: default to EUR for .hr

 -- Rico Tzschichholz <email address hidden> Sun, 26 Mar 2023 20:00:54 +0200

Source diff to previous version
CVE-2022-38745 Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code fro

Version: 1:6.4.7-0ubuntu0.20.04.6 2022-10-20 16:07:29 UTC

  libreoffice (1:6.4.7-0ubuntu0.20.04.6) focal-security; urgency=medium

  * SECURITY UPDATE: arbitrary script execution via Office URI Schemes
    - debian/patches/CVE-2022-3140-1.patch: commands are always URLs in
      wizards/source/access2base/DoCmd.xba.
    - debian/patches/CVE-2022-3140-2.patch: filter out unwanted command
      URIs in desktop/source/app/cmdlineargs.cxx.
    - debian/patches/CVE-2022-3140-3.patch: check IFrame FrameURL target in
      sfx2/source/appl/macroloader.cxx, sfx2/source/doc/iframe.cxx,
      sfx2/source/inc/macroloader.hxx, sw/source/filter/html/htmlplug.cxx,
      sw/source/filter/xml/xmltexti.cxx.
    - debian/patches/CVE-2022-3140-4.patch: check impress/calc IFrame
      FrameURL target in xmloff/source/draw/ximpshap.cxx.
    - CVE-2022-3140

 -- Marc Deslauriers <email address hidden> Fri, 14 Oct 2022 08:58:04 -0400

Source diff to previous version
CVE-2022-3140 LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice

Version: 1:6.4.7-0ubuntu0.20.04.5 2022-10-06 16:06:22 UTC

  libreoffice (1:6.4.7-0ubuntu0.20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: Improper Certificate Validation vulnerability
    - debian/patches/CVE-2022-26305.patch: compare authors using Thumbprint
      in xmlsecurity/source/component/documentdigitalsignatures.cxx.
    - CVE-2022-26305
  * SECURITY UPDATE: stored passwords IV always the same
    - debian/patches/CVE-2022-26306.patch: add Initialization Vectors to
      password storage in
      officecfg/registry/schema/org/openoffice/Office/Common.xcs,
      svl/source/passwordcontainer/passwordcontainer.cxx,
      svl/source/passwordcontainer/passwordcontainer.hxx.
    - CVE-2022-26306
  * SECURITY UPDATE: password storage master key weak entropy
    - debian/patches/CVE-2022-26307-1.patch: make hash encoding match
      decoding in
      officecfg/registry/schema/org/openoffice/Office/Common.xcs,
      svl/source/passwordcontainer/passwordcontainer.cxx,
      svl/source/passwordcontainer/passwordcontainer.hxx,
      uui/source/iahndl-authentication.cxx.
    - debian/patches/CVE-2022-26307-2.patch: add infobar to prompt to
      refresh to replace old format in include/sfx2/strings.hrc,
      include/sfx2/viewfrm.hxx, sfx2/source/view/viewfrm.cxx.
    - CVE-2022-26307

 -- Marc Deslauriers <email address hidden> Thu, 29 Sep 2022 08:40:35 -0400

CVE-2022-26305 An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only
CVE-2022-26306 LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a sin
CVE-2022-26307 LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a sin



About   -   Send Feedback to @ubuntu_updates