I second John's sentiment. For the vast majority of LibreOffice users, this security problem is _not_ fixed. And that is because they run versions of LibreOffice with the vulnerability but without the fix; and have not been made aware of the vulnerability and the release-with-a-fix.
I would claim that we are responsible to make our users thus aware. Now, it's true that a user is not likely to allow this particular exploit to be taken advantage of, since that would mean directing LO at a malicious .webp somewhere. But - we have over 200 million users IIANM. If malicious .webp's turn up on the web, it's quite likely some of our users may do this by mistake; and we would bear some of the responsibility for the consequences of such an outcome - after we've told our users that they are in the capable hands of "security experts" (to quote our website). Also, what if, next time, the vulnerability is easier to exploit? Do we even have the mechanism to push at least a warning about the need to update LO? Eyal PS 1: I have widened the CC of this exchange, as this question relates to how we present LibreOffice to users; our claims regarding the quality of this product; and the implicit and explicit guarantees we make to users. PS 2: Many of us are not able to attend ESC sessions - in general, and especially in the middle of a work day. And when this is the case we send an email asking for relevant issues to be considered. Personally, I struggle to attend even the design meetings (where I believe I can be of more use). On 28/09/2023 11:44, John Mills wrote:
Hello Miklos, Is it an acceptable statement just to say that "we" move on? Yes, the issue is now resolved for those people that download the newest version of LibreOffice. However what about the many millions of users that will not update or have no idea that they are now susceptible to this high rated CVE? This is not a compelling strategy and does not serve the best interests of these users. I think it is poor for the reputation of LibreOffice and the Document Foundation that there are many millions of unpatched instances being used that could negatively impact people like this. Perhaps this particular CVE is on the scale of things considered not that critical, however what is the strategy if there was ever an exploit that significantly impacted LibreOffice? How would this be made known to our user and corrected? With best regards, John Sent from Yahoo Mail on Android <https://mail.onelink.me/107872968?pid=nativeplacement&c=Global_Acquisition_YMktg_315_Internal_EmailSignature&af_sub1=Acquisition&af_sub2=Global_YMktg&af_sub3=&af_sub4=100000604&af_sub5=EmailSignature__Static_> On Thu, 28 Sept 2023 at 8:13 am, Miklos Vajna <vmik...@collabora.com> wrote: Hi Eyal, On Wed, Sep 27, 2023 at 08:31:04PM +0300, Eyal Rozenberg <eyalr...@gmx.com <mailto:eyalr...@gmx.com>> wrote: > I would like to ask you to discuss the situation with the recent CVE: > https://bugs.documentfoundation.org/show_bug.cgi?id=157231 <https://bugs.documentfoundation.org/show_bug.cgi?id=157231> It was already discussed 2 weeks ago. If you have specific questions, please ask on the developer list or take part in the ESC call yourself. In short: the problem is fixed, it's released, we move on. Regards, Miklos