[SRU] libreoffice 5.4.5 for artful

Bug #1748999 reported by Olivier Tilloy on 2018-02-12
290
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libreoffice (Ubuntu)
High
Unassigned
Nominated for Artful by Olivier Tilloy
libreoffice-l10n (Ubuntu)
High
Unassigned
Nominated for Artful by Olivier Tilloy

Bug Description

[Impact]

 * LibreOffice 5.4.5 is the fifth bugfix release of the still 5.4 line. Version 5.4.4 is currently in artful-proposed.
   For a list of fixed bugs compared to 5.4.4 see the list of bugs fixed in the RC1:
     https://wiki.documentfoundation.org/Releases/5.4.5/RC1#List_of_fixed_bugs

 * Given the nature of the project, the complexity of the codebase and the high level of quality assurance upstream, it is preferable to SRU a minor release rather than cherry-pick selected bug fixes.

 * Libreoffice 5.4.5 fixes CVE-2018-6871

[Test Case]

 * CVE-2018-6871 should be verified to be fixed

 * No other specific test case, bugs fixed upstream hopefully come with unit/regression tests, and the release itself is extensively exercised upstream (both in an automated manner and manually) by a community of testers. Each minor release usually goes through two release candidates, but 5.4.5 was initially unscheduled and it had a shortened cycle (only a single RC).

 * The libreoffice packages include autopkgtests, those should be run and verified to pass.

 * General smoke testing of all the applications in the office suite should be carried out.

[Regression Potential]

 * A minor release with a total of 69 bug fixes always carries the potential for introducing regressions, even though it is a bugfix-only release, meaning that no new features were added, and no existing features were removed.

 * A combination of autopkgtests and careful smoke testing as described above should provide reasonable confidence that no regressions sneaked in.

CVE References

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libreoffice (Ubuntu):
status: New → Confirmed
Olivier Tilloy (osomon) on 2018-02-12
Changed in libreoffice (Ubuntu):
status: Confirmed → Fix Committed
importance: Undecided → High
Changed in libreoffice-l10n (Ubuntu):
status: New → Fix Committed
importance: Undecided → High
Adolfo Jayme (fitojb) on 2018-02-15
information type: Public → Public Security
Trogel (trogel) wrote :

It seems this also affects Xenial (16.04 LTS); see also the duplicate bug #1748889. Is there a chance to get this bug also nominated for and fixed in Xenial? Or should a separate bug report deal with Xenial?

Olivier Tilloy (osomon) wrote :

Yes the CVE affects xenial and trusty, too. Backports of the patch are being prepared for those, this bug targets 5.4.5 on artful only.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice - 1:5.4.5-0ubuntu0.17.10.1

---------------
libreoffice (1:5.4.5-0ubuntu0.17.10.1) artful; urgency=medium

  * New upstream release (LP: #1748999)
    - fixes CVE-2018-6871: Remote arbitrary file disclosure vulnerability via
      WEBSERVICE formula
  * debian/patches/apparmor-senddoc-fixes.patch: apparmor fixes for the
    senddoc profile (LP: #1748895)

 -- Olivier Tilloy <email address hidden> Tue, 13 Feb 2018 11:25:01 +0100

Changed in libreoffice (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libreoffice-l10n - 1:5.4.5-0ubuntu0.17.10.1

---------------
libreoffice-l10n (1:5.4.5-0ubuntu0.17.10.1) artful; urgency=medium

  * New upstream release (LP: #1748999)
    - fixes CVE-2018-6871: Remote arbitrary file disclosure vulnerability via
      WEBSERVICE formula
  * debian/patches/apparmor-senddoc-fixes.patch: apparmor fixes for the
    senddoc profile (LP: #1748895)

 -- Olivier Tilloy <email address hidden> Tue, 13 Feb 2018 11:25:01 +0100

Changed in libreoffice-l10n (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers