On 16/11/17 09:39, Raphael Hertzog wrote: > On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote: >> Yes, that was added back then due to a regression with the fix for >> https://security-tracker.debian.org/tracker/CVE-2017-3157 > > When you add an entry back for some reason, please document that > reason... this entry in dla-needed.txt is useless if contributors don't > know why it sits there. > > I was just assuming that it was affected by vulnerabilities and looked up > the open CVE.
Well, it's there... libreoffice (Emilio Pozuelo) NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html > >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157 >> >> At this point, I'm not sure what the best course of action is: >> - revert the patch, leaving LO vulnerable to the original problem >> - leave things as is, with the annoying effect of the regression, but a safe >> LO >> - spend more time to try to fix the regression >> >> The first option is probably unacceptable. I wonder which one of the other >> two >> is better at this point, given that wheezy will be EOL in a few months and >> that >> most LTS users at this point are likely for servers. > > Can you point us to the regression report that you got or saw ? > > When I look at the description of the problem, I'm tempted to revert the > patch because the original problem does not look too severe. It can be > used to get private data but the information leak is limited to whatever > can appear in a preview and it requires precise knowledge of the > location of the user's document that you want to retrieve. And then > getting someone to open, modify, save a document and send it back to you > is non-trivial. > > Still this looks bad so it also depends on how annoying the regression is. > Does it affect all embedded objects ? Yep, it's bad, though not critical. The regression is annoying and affects some objects, but not sure if it affects all of them. >> PS: My apologies for not dealing with this earlier. I looked at it a while >> ago >> but couldn't fix it, and then wasn't motivated to look at it further. > > When I read "wasn't motivated to look at it further" I think that you > should have really put the package back into the queue with the > appropriate explanations. I really should have done that, and claimed it back if I found the time and energy. I have freed it now. Cheers, Emilio
