Ubuntu
libreoffice package

CVE-2024-5261

Bug #2071624 reported by Rico Tzschichholz
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libreoffice (Ubuntu)
Status tracked in Oracular
Mantic
Fix Released
Medium
Rico Tzschichholz
Noble
Fix Released
Medium
Unassigned
Oracular
Fix Released
Undecided
Unassigned

Bug Description

CVE-2024-5261: "TLS certificate are not properly verified when utilizing LibreOfficeKit"

https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261/

https://cgit.freedesktop.org/libreoffice/core/commit/?id=fa4ceeb487f89671efc8bf533192bf237c35b51e
https://gerrit.libreoffice.org/c/core/+/167753

https://ubuntu.com/security/CVE-2024-5261

* Noble 24.04:
  - Fix is included in 24.2.4 SRU
  - https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/2068562
* Mantic 23.10:
  - Backport of patch to 7.6.7 required
  - https://git.launchpad.net/~libreoffice/ubuntu/+source/libreoffice/log/?h=wip/mantic-7.6
* Jammy 22.04:
  - 7.3.7 not affected
* Focal 20.04:
  - 6.4.7 not affected

CVE References

Revision history for this message
Rico Tzschichholz (ricotz) wrote :
Changed in libreoffice (Ubuntu Mantic):
status: New → Fix Released
Changed in libreoffice (Ubuntu Noble):
status: New → In Progress
Changed in libreoffice (Ubuntu Oracular):
status: New → In Progress
Changed in libreoffice (Ubuntu Mantic):
status: Fix Released → In Progress
Changed in libreoffice (Ubuntu Oracular):
status: In Progress → Fix Released
Changed in libreoffice (Ubuntu Mantic):
assignee: nobody → Rico Tzschichholz (ricotz)
importance: Undecided → Medium
Changed in libreoffice (Ubuntu Noble):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 4:24.2.4-0ubuntu0.24.04.2

---------------
libreoffice (4:24.2.4-0ubuntu0.24.04.2) noble-security; urgency=medium

  * No-change rebuild in the -security pocket to fix CVE-2024-5261.
    (LP: #2071624)

 -- Marc Deslauriers <email address hidden> Tue, 02 Jul 2024 07:26:26 -0400

Changed in libreoffice (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 4:7.6.7-0ubuntu0.23.10.3

---------------
libreoffice (4:7.6.7-0ubuntu0.23.10.3) mantic-security; urgency=medium

  * SECURITY UPDATE: TLS certificate are not properly verified when
    utilizing LibreOfficeKit (LP: #2071624)
    - debian/patches/CVE-2024-5261.patch: Revert "LOK: Allow image
      upload from WOPI-like host with self-signed cert"
    - CVE-2024-5261

 -- Rico Tzschichholz <email address hidden> Mon, 01 Jul 2024 16:21:11 +0200

Changed in libreoffice (Ubuntu Mantic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.