皆様
CVE-2017-3157として報告されているCalcとWriterでの脆弱性が
LibreOffice 5.1.6/5.2.2/5.3.0
で修正されているという案内がありました。
上記より以前のバージョンを利用されている場合にはアップグレードすることを
お奨めします。
-- Takeshi Abe
On Wed, 22 Feb 2017 14:26:21 +0000, Caolán McNamara <caolanm@redhat.com> wrote:
Fixed in LibreOffice 5.1.6/5.2.2/5.3.0
---
CVE-2017-3157 Arbitrary file disclosure in Calc and Writer
http://www.libreoffice.org/about-us/security/advisories/CVE-2017-3157
Embedded Objects in writer and calc can contain previews of their
content. A document can be crafted which contains an embedded object
that is a link to an existing file on the targets system. On load the
preview of the embedded object will be updated to reflect the content
of the file on the target system. In the case of LibreOffice used as an
online service that preview of data on the target system could be used
to expose details of the environment LibreOffice is running in. In the
case of LibreOffice as a standard desktop application, the preview
could be concealed in hidden sections and retrieved by the attacker if
the document is saved and returned to sender.
In later version of LibreOffice without this flaw the LinkUpdateMode
feature has been expanded to additionally control the update of
previews of embedded objects as well as its prior function to control
the update of embedded object contents.
---
This is somewhat similar to
https://www.libreoffice.org/about-us/security/advisories/CVE-2015-4551
but instead of the *content* of an embedded link to a file getting
updated this is limited to the *preview* of the file getting updated.
--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted
--
Unsubscribe instructions: E-mail to discuss+unsubscribe@ja.libreoffice.org
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/ja/discuss/
All messages sent to this list will be publicly archived and cannot be deleted
Context
- [ja-discuss] Re: [tdf-discuss] security related information, CVE-2017-3157 · Takeshi Abe
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.