Re: How to check that CVE-2018-6871 is fixed?

Sorry, I should also note that we have a security advisories page:

https://www.libreoffice.org/about-us/security/advisories/ 
<https://www.libreoffice.org/about-us/security/advisories/>

This one is fixed in LibreOffice 5.4.5/6.0.1

Chris

> On 11 Feb 2018, at 6:22 pm, Chris Sherlock <chris.sherlock79@gmail.com> wrote:
>
> Fixed in commit:
>
> https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a 
> <https://cgit.freedesktop.org/libreoffice/core/commit/?id=34bbe8f858fd992c784586b839c0f1dc8a218b4a>
>
>
> > author       Caolán McNamara <caolanm@redhat.com <mailto:caolanm@redhat.com>>        2018-01-10 
> > 14:27:35 +0000
> > committer    Caolán McNamara <caolanm@redhat.com <mailto:caolanm@redhat.com>>        2018-01-11 
> > 21:28:06 +0100
> > commit       34bbe8f858fd992c784586b839c0f1dc8a218b4a (patch)
> > tree a66fb5e4361698bf1e3e275427f766e7492310e0
> > parent       dddb683300a0ce0fd713c924ebd9e005df60fea9 (diff)
> > limit WEBSERVICE to http[s] protocols
> > and like excel...
> >
> > 'For protocols that aren’t supported, such as ftp:// or file://, WEBSERVICE
> > returns the #VALUE! error value.'
> >
> > Change-Id: I0e9c6fd3426fad56a199eafac48de9b0f23914b3
> > Reviewed-on: https://gerrit.libreoffice.org/47709 <https://gerrit.libreoffice.org/47709>
> > Tested-by: Jenkins <ci@libreoffice.org <mailto:ci@libreoffice.org>>
> > Reviewed-by: Caolán McNamara <caolanm@redhat.com <mailto:caolanm@redhat.com>>
> > Tested-by: Caolán McNamara <caolanm@redhat.com <mailto:caolanm@redhat.com>>
>
> Chris
>
> > On 10 Feb 2018, at 10:07 pm, Paul Menzel <pmenzel+libreoffice@molgen.mpg.de 
> > <mailto:pmenzel+libreoffice@molgen.mpg.de>> wrote:
> >
> > Dear LibreOffice folks,
> >
> >
> > So according to CVE-2018-6871, “LibreOffice through 6.0.1 allows remote
> > attackers to read arbitrary files via =WEBSERVICE calls in a document,
> > which use the COM.MICROSOFT.WEBSERVICE function.”.
> >
> > Maybe it’s my English, but “through 6.0.1” sounds to me like, that
> > version is affected. The vulnerability description page [2] says, that LibreOffice 6.0.1 is not 
> > affected.
> >
> > > 100% success rate, absolutely silent, affect LibreOffice prior to
> > > 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS
> > > etc.) and may be embedded in almost all formats supporting by LO.
> >
> > I was searching the bug tracker [3] for *CVE-2018-6871* and got no result, and the git commit 
> > log also doesn’t mention it. Neither do the release notes [4][5].
> >
> > So, how can I find out, in what version that vulnerability was fixed?
> >
> >
> > Kind regards,
> >
> > Paul
> >
> >
> > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871 
> > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871>
> > [2] https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure 
> > <https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure>
> > [3] https://bugs.documentfoundation.org/ <https://bugs.documentfoundation.org/>
> > [4] 
> > https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/
> >  
> > <https://blog.documentfoundation.org/blog/2018/02/09/early-availability-libreoffice-5-4-5-libreoffice-6-0-1/>
> > [5] https://wiki.documentfoundation.org/Releases/6.0.1/RC1 
> > <https://wiki.documentfoundation.org/Releases/6.0.1/RC1>
> > _______________________________________________
> > LibreOffice mailing list
> > LibreOffice@lists.freedesktop.org <mailto:LibreOffice@lists.freedesktop.org>
> > https://lists.freedesktop.org/mailman/listinfo/libreoffice