Hi, On Thu, 23 Nov 2017, Antoine Beaupré wrote: > > sal_uInt16 nLevelAnz; > > rIn >> nLevelAnz; > > if ( nLevelAnz > 5 ) > > { > > OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 > > Ebenen! (SJ)" ); > > nLevelAnz = 5; > > } > > I have taken on the Libreoffice DLA and I looked into this, but I didn't > notice that check. So I backported the patch anyways. It would have been > useful to mark CVE-2017-CVE-2017-12607 as N/A in CVE/list to avoid that > duplicate > work... But I'm not sure your analysis is correct - the upstream patch > for that issue concerns an earlier part of the code: > > https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 > > namely: > > - while ( rIn.GetError() == 0 && rIn.Tell() < > aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz ) > + while (rIn.GetError() == 0 && rIn.Tell() < > aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < > nMaxPPTLevels) > > ... which sits about 100 lines above. Now I didn't check the upstream > code to see if it has that check we have in wheezy, but it seems it > won't hurt to add that patch anyways.
It can't sit 100 lines above since it's using the variable that has been declared in the snipped that I pasted. The code I pasted is an old version of this current code: sal_uInt16 nLevelAnz(0); rIn.ReadUInt16(nLevelAnz); So I think that my analysis is correct. > ... if we consider LTS users are only for servers, why do we bother > supporting Libreoffice in the first place? :) It's true it can be used > headless, but I would think the most common use case is the GUI. The > fact that someone reported an issue (and I wonder if there's an actual > bug report in the BTS, anyone?) shows people *are* using it that way. Definitely, we should support libreoffice for the desktop use case. > So we should issue a regression update. We can probably do this > separately than a DLA for CVE-2017-12607 and CVE-2017-12608 though... In > fact, shouldn't we *always* issue separate DLAs for regression updates? I think it's fine to fix a regression together with other new security vulnerabilities. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/