Ubuntu
libreoffice package

CVE-2015-1774

Bug #1441224 reported by Björn Michaelsen on 2015-04-07

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libreoffice (Ubuntu)	Fix Released	High	Björn Michaelsen
	Precise	Fix Released	Undecided	Marc Deslauriers
	Trusty	Fix Released	Undecided	Marc Deslauriers
	Utopic	Fix Released	Undecided	Marc Deslauriers
	Vivid	Fix Released	High	Björn Michaelsen

Bug Description

Disclosure date is targeted: 2015-04-25

U-Series:
Upstream master has the fix as commit f974db5d89eacf0c23e303c22c62972014e9db16. The fix can be found on branches with "git log --grep I69ab0ca9c017c9a1c10d18fd850f32a92c641d12".

Vivid:
Upstream LibreOffice 4.4.2 has the fix as bddab9a94f84e4067ca268c67df1b8708d3eea23, Ubuntu vivid package is already available at https://launchpad.net/~libreoffice/+archive/ubuntu/ppa/+packages

Utopic:
Upstream version LibreOffice 4.3.7 will have the fix as f2d49715c176c80c4b0fa3a7799d610eb5afec88 => thus needs SRU for utopic https://wiki.documentfoundation.org/ReleasePlan/4.3#4.3.7_release

Trusty:
LibreOffice 4.2 is EOL upstream, thus needs manual backport of patch on top of LibreOffice 4.2.8 as in trusty-proposed

Precise:
LibreOffice 3.5 is EOL upstream, thus needs manual backport of patch on top of LibreOffice 3.5.7

See original description

CVE References

2015-1774

Björn Michaelsen (bjoern-michaelsen) on 2015-04-08

Changed in libreoffice (Ubuntu):
assignee:	nobody → Björn Michaelsen (bjoern-michaelsen)

Björn Michaelsen (bjoern-michaelsen) on 2015-04-08

Changed in libreoffice (Ubuntu):
status:	New → In Progress

Björn Michaelsen (bjoern-michaelsen) on 2015-04-10

description:

updated

Revision history for this message

Björn Michaelsen (bjoern-michaelsen) wrote on 2015-04-10:

#1

backport of fix for 3.5/precise Edit (45.0 KiB, text/plain)

Revision history for this message

Björn Michaelsen (bjoern-michaelsen) wrote on 2015-04-10:

#2

backport of fix for 4.2/trusty Edit (44.9 KiB, text/plain)

Revision history for this message

Björn Michaelsen (bjoern-michaelsen) wrote on 2015-04-10:

#3

So for vivid, we will just bump the version to 4.4.2 pre-release and pre-disclosure, no need security teams involvement on that one then.

Revision history for this message

Björn Michaelsen (bjoern-michaelsen) wrote on 2015-04-10:

#4

4.4.2/vivid: sponsored
4.3.7/utopic: waiting for upstream release/release plan adjustments
4.2.8/trusty: prepared, testbuild on all platforms
3.5.7/precise: prepared, testbuild on all platforms (except: arm, still running)

Marc Deslauriers (mdeslaur) on 2015-04-27

information type:	Private Security → Public Security
Changed in libreoffice (Ubuntu Precise):
status:	New → Confirmed
Changed in libreoffice (Ubuntu Trusty):
status:	New → Confirmed
Changed in libreoffice (Ubuntu Utopic):
status:	New → Confirmed
Changed in libreoffice (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in libreoffice (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in libreoffice (Ubuntu Utopic):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in libreoffice (Ubuntu Vivid):
status:	In Progress → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-04-27:

#5

http://www.ubuntu.com/usn/usn-2578-1/

Changed in libreoffice (Ubuntu Precise):
status:	Confirmed → Fix Released
Changed in libreoffice (Ubuntu Trusty):
status:	Confirmed → Fix Released
Changed in libreoffice (Ubuntu Utopic):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.