On 14/9/23 16:54, Julien Nabet wrote:
It seems it would be good to have in the scope https://bugs.documentfoundation.org/show_bug.cgi?id=157231 concerning CVE-2023-4863 (libwebp).
Did anything come of this? I see that 7.6.1 was released without this fix, and no mention of this issue in the ESC minutes.
For reference, within the corporate environment where I work, the information security team is scanning all devices and servers for affected software and working to update or remove it. At the moment this means that anyone with LibreOffice installed on their Windows or Mac laptop will have to remove it since no fixed version has been released yet. I expect that many other large organisations will be conducting similar activity.
Is there any possibility of making a security release sooner than the normal schedule for 7.6.2 / 7.5.7?
I understand the risk to LibreOffice users is that if they open a document containing a malicious webp image then this buffer overflow vulnerability could possible allow remote code injection, does this sound accurate?
Incidentally the libreoffice package from Ubuntu appears to be fine since it is compiled against the system libwebp which has been updated by Ubuntu already. I think the concern is more for Windows and Mac users.
Thanks, Luke
