Re: How to check that CVE-2018-6871 is fixed?

Chris Sherlock <chris.sherlock79 -AT- gmail.com>
Sun, 11 Feb 2018 18:22:18 +1100

Fixed in commit:

https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a 
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a>

author        Caolán McNamara <caolanm@redhat.com>    2018-01-10 14:27:35 +0000
committer     Caolán McNamara <caolanm@redhat.com>    2018-01-11 21:28:06 +0100
commit        34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)
tree  a66fb5e4361698bf1e3e275427f766e7492310e0
parent        dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)
limit WEBSERVICE to http[s] protocols
and like excel...

'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE
returns the #VALUE! error value.'

Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3
Reviewed-on: https://gerrit.libreoffice.org/47709
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>


Chris

On 10 Feb 2018, at 10:07 pm, Paul Menzel <pmenzel+libreoffice@molgen.mpg.de> wrote:

Dear LibreOffice folks,


So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
attackers to read arbitrary files via =WEBSERVICE calls in a document,
which use the COM.MICROSOFT.WEBSERVICE function.”.

Maybe it’s my English, but “through 6.0.1” sounds to me like, that
version is affected. The vulnerability description page [2] says, that LibreOffice 6.0.1 is not 
affected.

100% success rate, absolutely silent, affect LibreOffice prior to
5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
etc.) and may be embedded in almost all formats supporting by LO.


I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, and the git commit log 
also doesn’t mention it. Neither do the release notes [4][5].

So, how can I find out, in what version that vulnerability was fixed?


Kind regards,

Paul


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871
[2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure
[3] https://bugs.documentfoundation.org/
[4] 
https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/
[5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1
_______________________________________________
LibreOffice mailing list
LibreOffice@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice

Context

How to check that CVE-2018-6871 is fixed? · Paul Menzel
- Re: How to check that CVE-2018-6871 is fixed? · Chris Sherlock
  - Re: How to check that CVE-2018-6871 is fixed? · Chris Sherlock
- Re: How to check that CVE-2018-6871 is fixed? · Rene Engelhard
  - Re: How to check that CVE-2018-6871 is fixed? · Chris Sherlock
    - Re: How to check that CVE-2018-6871 is fixed? · Rene Engelhard
      - Re: How to check that CVE-2018-6871 is fixed? · Chris Sherlock

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.