[tdf-discuss] security related information: CVE-2024-3044
tl;dr Upgrade to 7.6.7 or 24.2.3 --- CVE-2024-3044: Graphic on-click binding allows unchecked script execution Fixed in: LibreOffice 7.6.7/24.2.3 Description: LibreOffice supports binding scripts to click events on graphics. In affected version of LibreOffice there are scenarios where built-in scripts can be executed without warning if the user clicks on a document with such on-click handlers. In early versions of LibreOffice these scripts were deemed trusted, but are now deemed untrusted. In the fixed versions the user's explicit macro execution permissions for the document, determined at load time, are used for these handlers. Users are recommended to upgrade to 7.6.7 or 24.2.3 to avoid this flaw. Thanks to Amel Bouziane-Leblond for for finding and reporting this issue. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2023-6185 & CVE-2023-6186
tl;dr Upgrade to 7.5.9 or 7.6.4 --- CVE-2023-6185: Improper input validation enabling arbitrary Gstreamer pipeline injection Fixed in: LibreOffice 7.5.9/7.6.3 Description: LibreOffice supports embedded videos in file formats via platform audio/video support. Typically under Linux this is via gstreamer. In affected version of LibreOffice the filename of the embedded video is not sufficiently escaped when passed to gstreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system. Linux Users are recommended to upgrade to 7.5.9 or 7.6.3 to avoid this flaw. --- CVE-2023-6186: Link targets allow arbitrary script execution Fixed in: LibreOffice 7.5.9/7.6.4 Description: LibreOffice supports hyperlinks. In addition to the typical common protocols such as http/https hyperlinks can also have target URLs that can launch built-in macros or dispatch built-in internal commands. In affected version of LibreOffice there are scenarios where these can be executed without warning if the user activates such hyperlinks. In later versions the users's explicit macro execution permissions for the document are now consulted if these non-typical hyperlinks can be executed. The possibility to use these variants of hyperlink targets for floating frames has been removed. Users are recommended to upgrade to 7.5.9 or 7.6.4 to avoid this flaw. --- Credit: Thanks to Reginaldo Silva of ubercomp.com for finding and reporting these issues. Thanks to Collabora Productivity for providing fixes. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2023-4863 (libwebp)
tl;dr: upgrade to LibreOffice >= 7.5.7 or >= 7.6.2 LibreOffice typically (unless provided by a Linux distribution) contains a bundled copy of the 3rd party library, libwebp CVE-2023-4863 was reported for libwebp < 1.3.2 so correspondingly libweb was upgraded to 1.3.2 in the 7.5.7 and 7.6.2 releases. https://nvd.nist.gov/vuln/detail/CVE-2023-4863 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2023-1183
tl;dr: upgrade to LibreOffice >= 7.4.6 or >= 7.5.1 CVE-2023-1183 Arbitrary File Write in hsqldb 1.8.0 Fixed in: LibreOffice 7.4.6/7.5.1 Description: LibreOffice supports embedded databases in its odb file format. The most common format is hsqldb. LibreOffice typically contains a copy of hsqldb version 1.8.0 to load this format. Each odb file contains a "database/script" file which hsqldb parses to setup the database. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In affected versions of LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be writen to a new file whose location was determined by the attacker. Users are recommended to upgrade to 7.4.6 or 7.5.1 to avoid this flaw when using the packages provided from www.libreoffice.org which include a bundled copy of hsqldb 1.8.0. Credits: * Thanks to Gregor Kopf of Secfault Security GmbH for finding and reporting this issue. * Thanks to Fred Toussi for kindly providing a solution to this issue within hsqldb. https://www.libreoffice.org/about-us/security/advisories/CVE-2023-1183 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2023-0950, CVE-2023-2255
tl;dr: upgrade to LibreOffice >= 7.4.7 or >= 7.5.3 CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing Fixed in: LibreOffice 7.4.6/7.5.1 Description: In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. In versions >= 7.4.6 (and >= 7.5.2) the count of parameters is validated Credits: * Secusmart GmbH for discovering and reporting the issue * Eike Rathke of Red Hat, Inc. for a solution https://www.libreoffice.org/about-us/security/advisories/CVE-2023-0950 CVE-2023-2255: Remote documents loaded without prompt via IFrame Fixed in: LibreOffice 7.4.7/7.5.3 Description: LibreOffice supports "Floating Frames", similar to a html IFrame. The frames display their linked document in a floating frame inside the host document. In affected versions of LibreOffice these floating frames fetch and display their linked document without prompt on loading the host document. This was inconsistent with the behavior of other linked document content such as OLE objects, Writer linked sections or Calc WEBSERVICE formulas which warn the user that there are linked documents and prompts if they should be allowed to update. In versions >= 7.4.7 (and >= 7.5.3) the existing "update link" manager has been expanded to additionally control the update of the content of IFrames, so such IFrames will not automatically refresh their content unless the user agrees via the prompts. Thanks to Amel Bouziane-Leblond for discovering this flaw. https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2022-38745
tl;dr: upgrade to LibreOffice >= 7.2.6 or >= 7.3.1, (which was already recommended) https://www.libreoffice.org/about-us/security/advisories/CVE-2022-38745 CVE-2022-38745: Empty entry in Java class path risks arbitrary code execution Fixed in: LibreOffice 7.2.6/7.3.1 Description: Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes. In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then depending on the file manager or other tool used to open the zip file, navigate to the document and launch LibreOffice to open it, then the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed. In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Question about ANSSI certification for Apple App Store
On Sat, 2023-02-11 at 09:32 -0500, Patrick Luby wrote: > Anyway, I know that preparing the application for this certicate was > not an easy task, but would TDF be willing to publicly share their > application (or at least any technical answers) with the community? FWIW: the ANSSI cert was mentioned in today's ESC. Minutes: https://lists.freedesktop.org/archives/libreoffice/2023-February/089958.html " + question from Patrick + had no time to look into that yet (Cloph) + will share info once TDF filed its papers " -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2022-26305, CVE-2022-26306 and CVE-2022-26307
tl:dr upgrade LibreOffice 7-2 to 7.2.7, and/or upgrade LibreOffice 7-3 to 7.3.3 CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation Due to a poor mechanism for comparing the authors of certificates it was possible to make a digitally signed document containing macros incorrectly appear as if it was signed by a trusted author (if the user had configured trusted certificates). Fixed in 7.2.7 and 7.3.2 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305 --- LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. There were two problems here: CVE-2022-26306 Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password The same initial vector for the encryption process was used for all encryption, leaving the password potentially vulnerable to recovery if an attacker gained access to the users config data. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306 and CVE-2022-26307 Weak Master Keys A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. Fixed in 7.2.7 and 7.3.3 https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 For CVE-2022-26306 and CVE-2022-26307 newly saved password information is saved using a more secure mechanism. In order to deal with old preexisting vulnerable data, if the old format is detected in the user's config during application startup then an infobar prompts the user to reenter your password in order to trigger replacing that old data with the new format. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] [VOTE] TDF to change composition of legal oversight group
Hello, the special working group of the legal oversight group hereby makes available the draft of an amendment to the Rules of Procedure [1] of the Board of Directors. The amendment is to change the internal delegation of responsibilities (“areas of oversight”) in § 3 only regarding “contracts, legal compliance, GDPR, trademarks”. The former members of the legal oversight group regarding “contracts, legal compliance, GDPR, trademarks” shall be replaced by the new members Caolán McNamara, Emiliano Vavassori and Paolo Vecchi. (All other oversight groups remain unchanged.) We hereby call for the following VOTE, which will start Friday, 2022-07-29 00:00 UTC+2/CEST and will then run for 72h. This vote is proposed by all members of the special working group of the legal oversight group: Caolán, Emiliano, Paolo. Members of the board who are in conflict shall explicitly declare their abstention. [1] https://wiki.documentfoundation.org/TDF/BoD_rules -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] calming pause please
I suggest a little calming pause for a day or two on this list, it has become somewhat fraught. It would be great to hold off on posting anything rash and give the part of the board here in Berlin a chance to get back home and catch up. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [DECISION] TDF to publish LibreOffice in app stores
On Wed, 2022-06-08 at 11:44 +0200, Florian Effenberger wrote: > happy to update the vote template if the board is fine with that. > > All board members are on this list, so we can gather some feedback. Yeah, I'm content to see that information presented by default. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Proposal for in-house developers at TDF
On Thu, 2022-05-12 at 14:29 +0200, Paolo Vecchi wrote: > Hi all, > > after receiving quite a few comments and suggestions it seems like is > time to publish what, hopefully, is the final version of the proposal > to add 2 in-house developers to TDF's team: > > https://nextcloud.documentfoundation.org/s/sfJeNq7H9GS8YPe The project management section might imply something of a mentoring or micro management role for the ESC which isn't really something that I think it's suited for, if that is envisioned. The commentary around targeting specific stalled/neglected areas of development is appealing, I fear there may exist a general feeling TDF developers will solve everyone's pet peeves whereas hiring to primarily do a specific XY sets achievable expectations. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Agenda for TDF board meeting on Monday, May 2nd at 1800 Berlin time (UTC+2)
On Thu, 2022-04-28 at 20:27 +0200, Andreas Mantke wrote: > it may be good to know why there are the need for two members from > one ecosystem company? Has no other individual contributors or > ecosystem system members shown interest to participate in the ESC? > > The ESC should represent a wide diversity of the ecosystem and the > interests of its members (individual and organizations). Thus every > organization (aside maybe from TDF) should only hold one seat in the > ESC. The text of proposed changes is a diff against the current list available in the link at the top of the original mail, just in case the text reads as if the proposed changes are the full ESC complement. There is (and here proposed to still be) 5 TDF employees, 5 Collabora, 3 allotropia, 3 Red Hat and 6 other Individual or single company employees on the ESC giving IMO a fairly broad representation of ESC-relevant skills and insights. I wouldn't welcome dropping 8 (or 12) members and lose out on that. -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [VOTE] ratify board communication best practices document
On Tue, 2022-04-12 at 18:44 +0200, Thorsten Behrens wrote: > ... calling for a vote, to: > > * ratify attached best practices as current board communication > guidelines ... https://nextcloud.documentfoundation.org/f/900757 > > Vote runs the usual 72 hours, please answer with +1/-1/abstain to +1 -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [VOTE] approval of preliminary budget for 2022
On Wed, 2022-04-06 at 08:15 +0200, Florian Effenberger wrote: > On behalf of the Board, I therefore call for the following VOTE: > > Approval of the preliminary budget for 2022 +1 approve -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Re: New draft of the proposal for in-house developers
On Sat, 2022-03-26 at 21:13 +, Caolán McNamara wrote: > On Fri, 2022-03-25 at 12:21 +0100, Alexander Thurgood wrote: > > > - fixing old regressions, e.g. the chart bug in the report builder; > > This one I'm unaware of. Is this bug#87012 or another? tdf#117162 apparently. Seems to work again now with: https://cgit.freedesktop.org/libreoffice/core/commit/?id=70f3a94949cce612be9eff14fca94976acfc61a4 https://cgit.freedesktop.org/libreoffice/core/commit/?id=78f7bd90b96ac168fdacd1e0cb0693ab3861872a which maybe helps to unblock things a little in the short term -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Re: New draft of the proposal for in-house developers
On Fri, 2022-03-25 at 12:21 +0100, Alexander Thurgood wrote: > - making embedded Firebird the functional equivalent of embedded > hsqldb - currently, it is like some awkward reject, shivering in the > cold and dark - lots of incremental improvements to be made here; > - migrating the Java report generator code to C++ - there used to be > a native report writer, and it got killed off in favour of Java - > however, this would not be a small endeavour. FWIW the firebird and report generator things are the two base issues that I'm aware of and would love to see progress on. > - fixing old regressions, e.g. the chart bug in the report builder; This one I'm unaware of. Is this bug#87012 or another? > Of course, if the general thinking in the "dev community" is that > database front end support is a dead duck FWIW I don't think base a dead duck or that it needs to be excised, but maybe it's fair to designate it as an area of concern. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [VOTE] Approve the attic proposal
On Thu, 2022-03-24 at 00:20 +0100, Thorsten Behrens wrote: > Dear directors, > > calling for an email VOTE on the below final version of the Attic > Proposal. The vote runs for 72 hours, starting now. +1 in favor. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Draft text: an "attic" proposal - version 2.0
On Mon, 2022-03-14 at 17:34 +0100, Cor Nouws wrote: > For me the clear demands in the proposal are to prevent a situation > where projects restart without a good change on success, which is IMO > quite relevant for TDF's good name. I tend to agree. I don't think making it trivial to deattic something by applying a set of superficial commits to a very large code base which don't achieve meaningful change while f.e. unaddressed security issues mount up, creating a sort of zombie would be a good idea. wrt the proposals exact number of devs and commits, I could imagine that on getting atticed a project is categorized into small, medium, large with 1, 3, 6 devs required to de-attic if there is genuine concern about the proposed bar being too high vs a new from scratch project. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [VOTE] Approve version 1.3.2 of the CoI policy
On Fri, 2022-03-04 at 13:30 +0100, Florian Effenberger wrote: > as discussed in > https://listarchives.tdf.io/i/nUXiQDLatIR_Od6g63A08xU3 > and in the last board call, the following VOTE is proposed on the > recently published draft update to the CoI policy [1], to modify our > Rules of Procedure [2] - such that we reference version 1.3.2 of the > CoI policy: +1. Yes. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] Representation statement
I, Caolán McNamara, elected member of the Board of Directors of The Document Foundation, hereby and until further notice, nominate the following deputies to represent me during board calls and meetings, in the order set forth below: 1. Gábor Kelemen 2. Gabriel Masei 3. Ayhan Yalçınsoy -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] [DISCUSS] Proposed update for the CoI Policy: version 1.3.2
On Thu, 2022-02-24 at 12:41 +0100, Cor Nouws wrote: > Hi all, > > Paolo Vecchi wrote on 24/02/2022 09:06: > > > On 24/02/2022 03:19, Thorsten Behrens wrote: > > > How do you suggest we move this forward then? The current state > > > of the policy is still considered not ok for some. > > All of us read and accepted to be bound by the current version of > > the CoI Policy by being a member of the Board of Directors. > > I believe no one in the current board has any problem with it or > > wouldn't have ran for a board position. > > Life can be so complicated at times ;) > > I do not see a reason not to support the small improvements that are > in. I don't have concerns about the specific changes, which substantively looks like +1/-3 words. The document reads very draconian to me but that's not the question asked here. -- Caolán McNamara, Member of the Board of Directors The Document Foundation, Kurfürstendamm 188, 10707 Berlin, DE Gemeinnützige rechtsfähige Stiftung des bürgerlichen Rechts Legal details: https://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2021-25636
tl:dr upgrade to LibreOffice 7-2 to 7.2.5 (or libreoffice 7.3.0) LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. The Network and Data Security group at Ruhr University Bochum reported a flaw with the implementation of this. CVE-2021-25636 Incorrect trust validation of signature with ambiguous KeyInfo children An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag[1], which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. In versions >= 7.2.5 (and >= 7.3.0) certificate validation is now configured to only consider X509Data children to limit validation to X509 certificates only. [1] https://www.w3.org/TR/xmldsig-core1/#sec-KeyInfo -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Re: Enable TDF to contribute more code to LibreOffice with in-house developers to address our donors specific needs
On Tue, 2022-02-15 at 12:47 +0100, Paolo Vecchi wrote: > Hi Caolán, > > thanks for your feedback. > > On 14/02/2022 21:49, Caolán McNamara wrote: > > I think at least some of the push back is less against the concept > > that TDF should hire developers and more that it's a clearer path > > to start with some specific problems and then what options could > > solve them and hiring can be an option on that decision tree. It's > > a rare dev that has skills in multiple appstores, mentoring, qa, > > a11y, CTL, CJK and bugfixing in the various quite diverse > > components. > > Keep in mind that the point of the proposal was to get feedback from > the community and the team which seems to confirm that it is > desirable to have in-house developers to take care of certain areas. > > Now that we know we want in-house developers, the team and the > interviews will help in determining which areas we can start > covering. It does still feel somewhat cart before horse in the sense that it starts with a premise that hiring developers is the best solution and then backfills it with the problems to solve. And I can understand reluctance to go straight to that conclusion without stepping through it starting from some specific priority problem areas to make sure funds are distributed as wisely as possible to get the most tangible reward. -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [board-discuss] Re: Enable TDF to contribute more code to LibreOffice with in-house developers to address our donors specific needs
On Mon, 2022-02-14 at 18:12 +0100, Paolo Vecchi wrote: > Hi Kendy, > > On 14/02/2022 16:42, Jan Holesovsky wrote: > > > > > > In my world [regardless of the hat], a constructive debate is much > > easier over a document collecting: > > > > * the problem statement & the need > > * the pros & cons of various solutions > > * the proposal & conclusion > > Something like this?: > > * As shown by Italo's slides at FOSDEM again and by others, TDF > is not contributing as much as it could > * Up to now no strategic decisions have been taken to make TDF a > more regular and active code contributor > * Members of the ecosystem and others also suggested that we > should spend more money in development > * Bugs, a11y issues and features can be harder to taken care of > by volunteers and are not always addressed by the ecosystem > * We need to build up internal skills and development > capabilities to speed up innovation > * Lack of suppliers diversification, mostly 2 at present, is a > suboptimal situation for TDF, LibreOffice and its community > * Internal developers can grow to cover areas like mentoring and > QA while also helping with new contributors support > * TDF needs to expand its internal capacity to deal with > publishing in app stores directly and manage variable levels of > complexity due to ever changing rules > * Some proposed projects could be developed internally instead > of outsourcing them, which helps to grow in-house skills and capacity > to address our donors needs > * Potential App Stores revenues may allow for more developers > and to invest in developing other projects > * Our development mentor together with the team should propose > to the BoD projects for internal development > * While internal projects may cover different areas tenders and > ESC proposals will be also evaluated to avoid effort duplication > * This is not "just" a new project, it's an essential and > strategical move for TDF to grow further in its second decade which > widens the horizon for new visions and opportunities to do more and > even better things for LibreOffice and our community > * Funds are available for at least 2 developers allowing us to > start employing them straight away > * Next steps: create and publish the job offers for developers > and on-board them ASAP > > This has allowed to get a feel for the proposal, which seems very > positive, and now we'll be working on the details but at least it > showed that the community thinks we are moving in the right > direction. > > Then should the new developers invest 30% of their time in QA, 50% > in bug fixing and 20% in reviewing tenders and deliverables? > That's something we should see with the team as they have a very > good feel of what is going on. I think at least some of the push back is less against the concept that TDF should hire developers and more that it's a clearer path to start with some specific problems and then what options could solve them and hiring can be an option on that decision tree. It's a rare dev that has skills in multiple appstores, mentoring, qa, a11y, CTL, CJK and bugfixing in the various quite diverse components. -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] Re: Acceptance of role in the Board of Directors
On Fri, 2022-01-07 at 00:10 +0100, Marina Latini wrote: > Dear Caolán McNamara, > > let me first take this opportunity to personally congratulate you for > having been elected as member of the board. Then I kindly invite you > to officially accept your position in the board by answering to this > message with a "Reply to all". > > On behalf of the Membership Committee, > Marina Latini > > > > I, Caolán McNamara, elected director of the board of The Document > Foundation, hereby accept this position within the Stiftung > bürgerlichen Rechts. My term will start February 18, 2022. > > Signed: Caolán McNamara > > > Ich, Caolán McNamara, gewähltes Mitglied des Vorstands der The > Document Foundation, nehme mein Amt innerhalb der Stiftung > bürgerlichen Rechts an. Meine Amtszeit beginnt am 18. Februar 2022. > > Unterzeichnet: Caolán McNamara > I accept -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2021-43527
tl;dr: upgrade to 7.1.8 or 7.2.4 The install sets of LibreOffice as provided by TDF include a bundled copy of Mozilla's NSS library. Before 7.1.8/7.2.4 the bundled NSS is affected by: CVE-2021-43527 Memory corruption via DER-encoded DSA and RSA-PSS signatures https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/#CVE-2021-43527 https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] Re: Board elections: questions to the candidate Caolán McNamara
On Sat, 2021-11-27 at 12:19 +0100, Marina Latini wrote: > 1. Do you commit yourself to have enough time and the necessary > technological tools in order to participate to the regularly scheduled > board calls? Sure. > 2. Do you commit yourself to follow up and work on (at least) the main > items and actions you will volunteer to oversee or that will be > assigned to you by the board? Sure. > 3. What is your willingness to delegate decisions, especially in lack > of time? I'm happy to delegate. > 4. What are your views on the foundation's budget? How should the money > be spent, besides our fixed costs? I'm particularly keen on funding for elements on the ESC suggested tenders: https://wiki.documentfoundation.org/Development/Budget2021 and similar where there isn't currently sufficient existing activity. > 5. Should we work towards broadening our pool of contributors, both > technical and non-technical? Sure, though we should be sure we also retain what we have. > 6. What actions do you suggest to increase the engagement and > participation of volunteers from local communities around the world > in project's activities? I think obviously covid has seriously hindered the ability to host in- person conferences and regional meetups so it's difficult to maintain energy without that regular face to face boost. Hopefully in the coming year circumstances improve to allow those to return. > 7. Should the Foundation -as an entity distinct from the LibreOffice > project or the Document Liberation project- engage into growing its > influence and promoting and defending Free Software and Digital > Freedom? wrt to promotion and defense, I'd like The foundation to also consider risks to the other projects that LibreOffice depends on; spell checking and hyphenation engines, spellchecking and hyphenation dictionaries, document liberation project filters, specialized spreadsheet external dependencies, cmis libraries and existence of fonts that are metrically equivalent to important competitors. > If yes, do you have ideas on what should be done about this? I'd like to see our dependencies recognized and categorized into what risks they pose if they were to go dark. Perhaps there is potential to more effectively cooperate with Mozilla Foundation where there is some overlap on some of these technologies. > 8. What's your idea to let TDF membership become more appealing? > Currently, the only difference from being Community member and TDF > member is the possibility to vote and be voted for TDF's governance, > and it's fine, but can you imagine anything to encourage more > Community members to become also part of TDF? I was unaware there was a gulf between the numbers of community members and actual TDF members. I'd be interesting in knowing the numbers and if there are identifiable subgroups of community members that feel it's undesirable, unnecessary or pointless to be TDF members. > 9. How do you view your (potential) role as a member of the board of > directors, given that this position does not give you any specific > functional role inside the LibreOffice or Document Liberation > projects? I'd hope to act as a bridge to the development community, not just on LibreOffice itself, but as a sometimes contributor to a wider set of related projects. > 10. What is the biggest problem of the foundation in your opinion? Vulnerability to the loss of one or more of the larger employers of developers that contribute to LibreOffice. > What is its biggest opportunity? LibreOffice is an established project and there is considerable good will held towards it and the foundation. > 11. If they will occur, how do you think to handle conflicts within > the board? I'm reasonably confident I can remain even handed if a problem arises. -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[board-discuss] Candidacy to the BoD elections: Caolán McNamara
Dear Members, I would like to stand for elections to the Board of Directors of The Document Foundation. I'm Caolán McNamara, full time developer on LibreOffice and member of the ESC. I'm employed as a Principal Engineer by Red Hat as part of the Desktop Team and have been involved with LibreOffice since its inception and had involvement with its predecessors back to a stint as a Sun Microsystems employee on StarOffice. I'm currently living on the damp and windy west coast of Ireland. For LibreOffice the type of things I currently work on are the existing Gtk3 port and the work-in-progress Gtk4 port. I also act in the LibreOffice security team as the liaison for LibreOffice's CVE Numbering Authority, helping to turn security reports into fixes and managing the admin work required. I oversee the oss-fuzz continuous fuzzing of LibreOffice and maintain our continuous document import/export crashtesting process, discovering and fixing crashes close to the time of their introduction. Full name: Caolán McNamara Email: caol...@redhat.com Corporate affiliation: Red Hat, Inc. (Less than) 75 words candidacy statement: "I'm a long term contributor to LibreOffice on the development front and I would like to serve in the Board to help represent the perspective of contributors to our project in order to aid the Board in making decisions that sustain existing contribution sources and encourage growth" -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/board-discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2021-25633, CVE-2021-25634, CVE-2021-25635
tl:dr upgrade to LibreOffice 7-0 to 7.0.6, libreoffice 7-1 to 7.1.2 (or libreoffice 7.2.0) LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. The Network and Data Security group at Ruhr University Bochum reported a number of flaws with the implementation of this. CVE-2021-25633 Content Manipulation with Double Certificate Attack https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633 Fixed in 7.0.6 and 7.1.2 CVE-2021-25634 Timestamp Manipulation with Signature Wrapping https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634 Fixed in 7.0.6 and 7.1.2 CVE-2021-25635 Content Manipulation with Certificate Validation Attack https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25635 Fixed in 7.0.5 and 7.1.1 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2021-25632
tl;dr: macOS users should upgrade to 7.0.6 or 7.1.3 CVE-2021-25632: fileloc extension added to macOS executable denylist https://www.libreoffice.org/about-us/security/advisories/cve-2021-25632 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [tdf-discuss] security related information, CVE-2021-25631
On Fri, 2021-04-16 at 12:04 +0200, William Gathoye (LibreOffice) wrote: > On 15/04/2021 21:55, Caolán McNamara wrote: > > [...] > > In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the > > 7- > > 0 series in versions prior to 7.0.5 > > [...] > > have received a CVE warning from a security analyst saying that the > LibreOffice 7.0 branch is still vulnerable to CVE-2021-25631. > > The 7.0.5 version seems not to be fixing the issue. He recommends me to > tweak the Chocolatey libreoffice-still package and upgrade all the > users to the 7.1 branch. Can you forward the details of that claim to secur...@documentfoundation.org for investigation. I certainly see the expected commit in 7.0.5 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2021-25631
tl;dr: Windows users should upgrade to 7.0.5 or 7.1.2 LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. LibreOffice contains a denylist of extensions that it blocks from passing to ShellExecute to avoid attempting to launch executables. In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7- 0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type. In the fixed versions this circumvention has been blocked. Thanks to Lukas Euler of Positive Security for discovering and reporting this issue -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2020-12802, CVE-2020-12803
CVE-2020-12802 remote graphics contained in docx format retrieved in 'stealth mode' If you are using the (off by default) setting to only allow documents in "trusted location" to download remote resources then 6.4.4 fixes a case in the .docx import path where that protection didn't apply. CVE-2020-12803 XForms submissions could overwrite local files ODF documents can contain forms similar to HTML forms where a user typically clicks on a submit button to submit the data to a web server. Prior to 6.4.4 the destination could be a local file, raising the possibility that a malicious document could be constructed to maximize the likelihood that the user could inadvertently overwrite a local file. In 6.4.4 this feature is limited to http[s] URLs. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2020-12801
CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This is fixed, in the 6-3 series with 6.3.6 and in the 6-4 series with 6.4.3 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information: CVE-2019-9853
tl;dr: Ensure you are upgraded to at least 6.2.7 and 6.3.1 CVE-2019-9853: Insufficient URL decoding flaw in categorizing macro location LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.6; LibreOffice 6.3 series versions prior to 6.3.1. Because CVE-2019-9854 and CVE-2019-9855 exist in 6.2.6, 6-2 series users are recommended to upgrade to 6.2.7 Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2019-9854, CVE-2019-9855
td;dr: Upgrade to 6.2.7 or 6.3.1 CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check Protection was added to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This flaw is fixed in 6.2.7 and 6.3.1 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854 --- CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution When the execution of LibreLogo from scripts was blocked we didn't take into account that, under Windows, file names longer than eight characters can be addressed via a compatibility 8.3 filename which wasn't blocked. Such paths are now rejected in 6.2.7 and 6.3.1 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855 --- Another change in 6.2.7 and 6.3.1 is that now documents that contain a call to a script are treated similarly to those that contain macros. So documents that call a built in shared script in some way will present the same warning dialog as documents that contain macros. Shared built-in scripts are demoted from their trusted position and their execution is controlled under the standard macro execution rules. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [tdf-discuss] security related information, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852
On Thu, 2019-08-15 at 21:28 +0200, Jean-Baptiste Faure wrote: > Le 15/08/2019 à 12:52, Caolán McNamara a écrit : > > tl;dr; Upgrade to >= 6.2.6 or >= 6.0.0. > > I guess you mean ... or >= 6.3.0 Yes, indeed, oops, 6.3.0. Advisory texts are correct, email here was not. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852
tl;dr; Upgrade to >= 6.2.6 or >= 6.0.0. There is a cluster of issues here. CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution There was a way to encode the script url that could bypass the fix of CVE-2019-9848 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850 CVE-2019-9851 LibreLogo global-event script execution The fix of CVE-2019-9848 blocked execution of LibreLogo from document script events, e.g. mouse-over, but there is another separate feature of global script events, e.g. document-open which are also affected https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851 CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check There was a way to encode the script url to bypasses the fix of CVE- 2018-16858 to again allow scripts in arbitrary locations on the file system to be executed https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
Re: [tdf-discuss] Re: security related information, CVE-2019-9848, CVE-2019-9849
On Fri, 2019-08-09 at 21:38 -0700, Derek Currie wrote: > A further patch was supposed to be applied in version > 6.3.4 this week. > And yet there is no record in the release notes of that patch. > Instead, there is an incorrect listing that CVE-2019-9848 was patched > in v6.2.5.2, which has been published to not be the case. It is not incorrect to state that CVE-2019-9848 was patched in 6.2.5.2, but it is fair to state that it turns out the solution is not totally sufficient and there is an additional problem with the solution. A new advisory will be issued with a new CVE number for the follow-up issue when the solution is ready. We're working on making it available. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2019-9848, CVE-2019-9849
tl;dr: Upgrade to 6.2.5 CVE-2019-9848: LibreLogo arbitrary script execution Prior to 6.2.5 it is possible to construct malicious documents which can execute arbitrary python silently if the LibreLogo script is installed. LibreLogo is installed by default in the binary builds of LibreOffice provided by The Document Foundation. https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848 CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode' LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. Users of this feature should upgrade to 6.2.5 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9849 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] CVE-2019-9847
tl;dr: Upgrade to 6.1.6 or 6.2.3 CVE-2019-9847 Executable hyperlink targets executed unconditionally on activation Before 6.1.6/6.2.3 under Windows and macOS when processing a hyperlink target explicitly activated by the user, as in you explicitly click on a hyperlink in some LibreOffice application, there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally. In the fixed versions, such executables are not executed on hyperlink activation. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2018-16858
CVE-2018-16858: Directory traversal flaw in script execution tl;dr: Fixed in 6.0.7 and 6.1.3 LibreOffice has a feature where documents can specify that pre- installed macros can be executed on various document events such as mouse-over, etc. Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location. Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with. In the 6.1 series, the problem was compounded by an additional feature which enables specifying in the document arguments to pass to the python method (Earlier series only allow a method to be called with no argument). The bundled python happens to include a method which executes via os.system one of its arguments, providing a simple route in 6.1 to execute arbitrary commands via such a crafted document. In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install Thanks to Alex Inführ for reporting this issue -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2018-14939, no action required
A CVE VE-2018-14939 was logged about a buffer overrun in our realpath usage in function get_app_path. We contend there is no bug in LibreOffice and no action is required https://www.libreoffice.org/about-us/security/advisories/CVE-2018-14939 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2018-10583
CVE-2018-10583 was assigned for Information disclosure via SMB link embedded in ODF document A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is analogous to how opening HTML documents which contain links to images on remote web sites are automatically fetched by web browsers. If this is combined with an underlying flaw in Microsoft Windows (NTLM Hash Leaks) then this provides an additional vector by which a windows user password hash can leak. Since LibreOffice 5.4.7, and 6.0.4 in the 6.X series, end users or administrators can disable this functionality to automatically fetch such linked images via "tools->options->security->options->block any links from documents not among the trusted locations". By default this options remains off in those updates. https://www.libreoffice.org/about-us/security/advisories/CVE-2018-10583 https://dylankatz.com/NTLM-Hashes-Microsoft%27s-Ancient-Design-Flaw/ -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
[tdf-discuss] security related information, CVE-2018-10119, CVE-2018-10120
TL;DR; Upgrade to >= 5.4.6 or >= 6.0.2 https://www.libreoffice.org/about-us/security/advisories/CVE-2018-10119 CVE-2018-10119 Use After Free in Structured Storage parser Fixed in LibreOffice 5.4.5/6.0.1 LibreOffice before 5.4.5 and 6.x before 6.0.1 have a flaw in an edge case in processing the structured storage ole2 wrapper file format. A short datatype is used which can overflow resulting in a write to recently freed data https://www.libreoffice.org/about-us/security/advisories/CVE-2018-10120 CVE-2018-10120 Heap Buffer Overflow in MSWord Customizations parsing Fixed in: LibreOffice 5.4.6/6.0.2 LibreOffice before 5.4.6 and 6.x before 6.0.2 have a flaw in an edge case in processing a specific uncommon Microsoft Word record. An index into a dynamically allocated buffer is used without bounds checking. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information: CVE-2018-1055
tl/dr: upgrade to 5.4.5/6.0.1 CVE-2018-1055: Remote arbitrary file disclosure vulnerability via WEBSERVICE formula LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL whose path leaks the local data to a remote attacker. In later versions of LibreOffice without this flaw, WEBSERVICE has now been limited to accessing http and https URLs along with bringing WEBSERVICE URLs under LibreOffice Calc's link management infrastructure. All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] CVE-2017-8358 notice
CVE-2017-8358 was filed for a heap buffer overflow in the JPG reader. For the sake of clarity this specific bug was present from the 15th of March 2017 to the 17th of March 2017 and was never included in any release. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2016-10327, CVE-2017-7856, CVE-2017-7870, CVE-2017-7882
tl;dr: All users are recommended to upgrade to LibreOffice >= 5.2.5 or >= 5.3.0. Recently 4 CVEs were filed for LibreOffice, namely... CVE-2016-10327 Heap-buffer-overflow in EMF filter CVE-2017-7856 Heap-buffer-overflow in WMF filter CVE-2017-7882 Heap-buffer-overflow in HWP filter CVE-2017-7870 Heap-buffer-overflow in WMF filter polygon processing They are all related to the google oss-fuzz program (https://testing.go ogleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html) of which we are part These two: CVE-2017-7856 Heap-buffer-overflow in WMF filter CVE-2017-7882 Heap-buffer-overflow in HWP filter refer to temporary defects which were introduced during the development cycle and then fixed again before any release was made, so there is no release affected by these specific issues. These two however *are* in released products: https://www.libreoffice.org/about-us/security/advisories/CVE-2016-10327 CVE-2016-10327 Heap-buffer-overflow in EMF filter Enhanced Metafiles (EMF) can contain bitmap data preceded by a header and a field with in that header which states the offset from the start of the header to the bitmap data. An emf can be crafted to provide an illegal offset which if not tested for validity can trigger a heap buffer overflow. https://www.libreoffice.org/about-us/security/advisories/CVE-2017-7870 CVE-2017-7870 Heap-buffer-overflow in WMF filter polygon processing Windows Metafiles (WMF) can contain polygons which under certain circumstances when processed (split) can result in output polygons which have too many points to be represented by LibreOffice's internal polygon class. resulting in a heap buffer overflow could occur as the attempt to split the polygon was assumed to succeed. Everything is fixed in 5.2.5 and 5.3.0 -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2017-3157
Fixed in LibreOffice 5.1.6/5.2.2/5.3.0 --- CVE-2017-3157 Arbitrary file disclosure in Calc and Writer http://www.libreoffice.org/about-us/security/advisories/CVE-2017-3157 Embedded Objects in writer and calc can contain previews of their content. A document can be crafted which contains an embedded object that is a link to an existing file on the targets system. On load the preview of the embedded object will be updated to reflect the content of the file on the target system. In the case of LibreOffice used as an online service that preview of data on the target system could be used to expose details of the environment LibreOffice is running in. In the case of LibreOffice as a standard desktop application, the preview could be concealed in hidden sections and retrieved by the attacker if the document is saved and returned to sender. In later version of LibreOffice without this flaw the LinkUpdateMode feature has been expanded to additionally control the update of previews of embedded objects as well as its prior function to control the update of embedded object contents. --- This is somewhat similar to https://www.libreoffice.org/about-us/security/advisories/CVE-2015-4551 but instead of the *content* of an embedded link to a file getting updated this is limited to the *preview* of the file getting updated. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2016-4324
Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container. All users are recommended to upgrade to LibreOffice >= 5.1.4 Thanks to the researchers working with Cisco Talos Security Intelligence and Research Group for discovering this flaw. C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2016-0794, CVE-2016-0795
We had a set of lwp filter parsing issues. CVE-2016-0795 LotusWordPro Bounds overflows in LwpTocSuperLayout processing This is fixed in 5.0.5 and 5.1.0 CVE-2016-0794 LotusWordPro Multiple bounds overflows in lwp filter There was a bunch more which got fixed earlier in 5.0.4 and 5.1.0 Thanks to the researchers working with VeriSign iDefense Labs for discovering these flaws. C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] security related information, CVE-2015-4551, CVE-2015-5212, CVE-2015-5213, CVE-2015-5214
On Sun, 2015-11-08 at 23:23 +0100, Rene Engelhard wrote: > I did some research today based on the commit messages - and when I > am not mistaken > most of them are fixed in 5.0.0 but CVE-2015-5214 is fixed only in > 5.0.1. > (But still long before 5.0.3) Yeah, rene's right. 5.0.1 is the oldest 5.0.X version where everything is addressed, not 5.0.0. So 4.4.6+/5.0.1+ are the "good versions". C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2015-4551, CVE-2015-5212, CVE-2015-5213, CVE-2015-5214
Bottom Line: ensure you are upgraded to at least 4.4.6 or 5.0.0 Fixed in LibreOffice 4.4.6/5.0.0 CVE-2015-5214 DOC Bookmark Status Memory Corruption http://www.libreoffice.org/about-us/security/advisories/cve-2015-5214/ Fixed in LibreOffice 4.4.5/5.0.0 CVE-2015-4551 Arbitrary file disclosure in Calc and Writer http://www.libreoffice.org/about-us/security/advisories/cve-2015-4551/ CVE-2015-5212 ODF Integer Underflow (PrinterSetup Length) http://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/ CVE-2015-5213 DOC piecetable Integer Overflow http://www.libreoffice.org/about-us/security/advisories/cve-2015-5213/ C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] New version of Hunspell is available
On Sun, 2014-07-13 at 17:19 +0200, penttila wrote: Hi, A new Hunspell version (1.3.3) is out since 2014 Jun 2, after more than three years of development containing several bug fixes. (http://hunspell.sourceforge.net)Will this new version be inluded in the upcomming LibreOffice 4.3? I can see that its still 1.3.2 in 4-3, but with 9 additional patches over the vanilla 1.3.2, so if there's a particular problem in 1.3.2 which makes you want to have 1.3.3 instead then it may already be covered by one of those backports. C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2014-0247
A bit slow announcing this one personally, though its been out on the wires for distributions and other sources for a few weeks now. LibreOffice 4.2.5 fixes a bug that crept into 4.1.4 onwards where the vba macros in Microsoft Office documents loaded into LibreOffice would effectively ignore the macro disabling code and be free to run unhindered. You are recommended to upgrade to 4.2.5. Thanks to Stephen Bergmann of Red Hat, Inc. for discovering this through his code review. https://www.libreoffice.org/advisories/CVE-2014-0247/ C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2013-1752 CVE-2013-4238
A bit slow announcing this one, the bundled python in 4.1.4 and earlier has some various potential security flaws which are fixed in a later version of python. So we now bundle that later version of python since 4.1.5. It's recommended to use that version of LibreOffice (unless you get your LibreOffice as part of a Linux distro in which case python is typically provided by the system rather than bundled into LibreOffice). https://www.libreoffice.org/advisories/CVE-2013-1752/ C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security related information, CVE-2013-2189 and CVE-2013-4156
Apache OpenOffice has announced the details of CVE-2013-2189 and CVE-2013-4156 as they affect Apache OpenOffice, i.e. CVE-2013-2189: CVE-2013-2189: OpenOffice DOC Memory Corruption Vulnerability http://permalink.gmane.org/gmane.comp.apache.maven.announce/1503 CVE-2013-4156: OpenOffice DOCM Memory Corruption Vulnerability http://permalink.gmane.org/gmane.comp.apache.maven.announce/1504 I have now put up equivalent advisory pages for LibreOffice as... a) http://www.libreoffice.org/advisories/CVE-2013-2189/ CVE-2013-2189: Microsoft .doc Memory Corruption Vulnerability We fixed this problem as a side effect of our fixes for CVE-2011-2713 so any version of LibreOffice = 3.4.3 is unaffected. and b) http://www.libreoffice.org/advisories/CVE-2013-4156/ CVE-2013-4156: Microsoft .docm Denial Of Service We had done some additional work in that filter so for LibreOffice the document triggered a NULL deref and immediate termination of the application. So it's a mild denial of service issue for LibreOffice, nevertheless upgrading to LibreOffice 3.6.7/4.0.4/4.1.0 will avoid the DOS. C. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [board-discuss] hiring Christian Lohmaier
On Mon, 2013-06-10 at 18:15 +0200, Florian Effenberger wrote: I hereby ask the board to 1. vote on hiring Christian Lohmaier, for a limited period of one year, part-time with 20 hours per week, specifically for web development, at costs not exceeding 25.000 € per year, 2. authorize Thorsten Behrens and me to sign the work contract on behalf of TDF +1 C. -- To unsubscribe e-mail to: board-discuss+unsubscr...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/board-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [board-discuss] Request for auxiliary travel budget Dresden Impress Sprint
On Fri, 2013-03-01 at 14:44 +0100, Thorsten Behrens wrote: I'd like the board to approve an extra € 1,000.00 for travel bursaries, only to be used when host budget has run dry. +1, bring us back a new impress hacker. C.
Re: [board-discuss] travel refund for Italo's trips
On Thu, 2013-02-14 at 10:28 +0100, Florian Effenberger wrote: Hello, based on the recent discussions, I'd ask the board to vote on: 1. Having a budget of 2.500 € in total for Italo's trips to POSSCON, LibrePlanet and FOSSC Oman, 2. thereby revoking decision # 20121220-01 [1] ok, +1 C.
Re: [board-discuss] additional FOSDEM budget
On Mon, 2013-01-28 at 12:43 +0100, Florian Effenberger wrote: Hello, I'd like to ask the board to approve an additional 600 € for collaterals. +1 C. Maybe we should have a money available bot that adds a sig with that amount to budget request emails :-)
Re: [board-discuss] Request: approve 523,60 € lawyer fees for drafting a work contract
On Sat, 2012-12-15 at 01:57 +0100, Thorsten Behrens wrote: Dear board, we had hired counsel to come up with a suitable work contract to hire Florian. This has concluded, and the aforementioned fees are due, please approve the not-yet-budgeted amount. +1 C.
[tdf-discuss] security-related information, CVE-2012-4233
CVE-2012-4233: Multiple file format denial of service vulnerabilities Fixed in: LibreOffice 3.5.7/3.6.1 Thanks to High-Tech Bridge for reporting these flaws. Users are recommended to upgrade to 3.5.7 or 3.6.1 to avoid these flaws There are fairly mild denial of service (libreoffice just crashes rather than running off with your credit card) problems. details: http://www.libreoffice.org/advisories/cve-2012-4233/ https://www.htbridge.com/advisory/HTB23106 C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security-related information, CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code
https://www.libreoffice.org/advisories/ CVE-2012-2665 Multiple heap-based buffer overflows in the XML manifest encryption handling code Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution. Thanks to Timo Warns of PRE-CERT for reporting this flaw. Users are recommended to upgrade to 3.5.5 to avoid this flaw C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [board-discuss] budget for project weekend
On Mon, 2012-06-25 at 13:49 +0200, Florian Effenberger wrote: +1 from my side, but we need some more votes to reach a quorum Florian Effenberger wrote on 2012-06-20 15:37: Would the board be willing to approve up to, let's say, 200 € expenses for that? sure sure, +1 C. -- Unsubscribe instructions: E-mail to board-discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/board-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] security-related information, CVE-2012-1149, CVE-2012-2334
https://www.libreoffice.org/advisories/ CVE-2012-1149 Integer overflows in graphic object loading An integer overflow vulnerability in LibreOffice graphic loading code could allow a remote attacker to cause a denial of service (application crash) or potentially execute arbitrary code on vulnerable installations of LibreOffice. Thanks to Tielei Wang via Secunia SVCRP for reporting this flaw. Users are recommended to upgrade to 3.5.3 to avoid this flaw CVE-2012-2334 Denial of Service with malformed .ppt files Reading invalid record lengths in LibreOffice powerpoint (escher) import code could allow a remote attacker to cause a denial of service (application crash) on vulnerable installations of LibreOffice. Thanks to Sven Jacobi for reporting this flaw. Users are recommended to upgrade to 3.5.3 to avoid this flaw C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Re: security-related information, CVE-2012-1149, CVE-2012-2334
On Wed, 2012-05-16 at 12:29 -0700, NoOp wrote: Any idea if 3.5.3 also addresses this one that also came out today? http://www.openoffice.org/security/cves/CVE-2012-2149.html This is actually libwpd, which gets bundled into non-distro builds. The advisory relates to a very old version of libwpd bundled into the last OpenOffice.org release. LibreOffice 3.3.X already contained a sufficiently recent version of libwpd to be unaffected by that, so you're fine with any version of LibreOffice. the filter can be patched rather than removed like AOO. The filter got removed from AOO due to being under the LGPL (!) https://cwiki.apache.org/OOOUSERS/ipclearance.html C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Can't get LibreOffice to compile (dev-install)
On Tue, 2011-12-13 at 15:44 -0800, gptscorp wrote: Hello, I have followed the instructions on http://www.libreoffice.org/get-involved/developers/ several times and get all types of quirky messages, and no matter what I do the build do succeed. What am I doing wrong? In help/suggestions are appreciated. I am building on a Windows 7 box with 2GB RAM and 260GB disk space. We'd need to know what the messages are to hazard a guess. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [steering-discuss] Board of Directors Candidacy: Caolán McNamara
On Sat, 2011-10-08 at 17:11 +0300, David Nelson wrote: I would like to ask whether you would be willing to make a commitment for a term of office on the BoD. Sure. I am certain that you will assure us that you support openness of the source code of LibreOffice. Sure, apple pie and motherhood too. But I would like to put it to you that no software source code is truly open until it has been rendered as understandable as possible to as many people as possible. err, sure, it would be nice to have source code as understandable as possible. It might be a bit of a stretch to conclude that it's not open if developer documentation is somewhat on the slight side. The solution of interested individuals gleaning knowledge by lurking and asking questions on IRC is not an effective and community-oriented method of sharing knowledge. *shrug*, most questions are asked and answered on the mailing list, where they can be archived so they don't have to be asked again. irc tends towards more real time chat on specific right now problems rather than a stomping ground for discussing anything indepth. Would you be willing to commit yourself to actively work ... on developing global design documentation No. I couldn't make such a commitment. I am thinking of something along the lines of: ... Please may I ask your thoughts about this idea and whether you would explicitly agree to be part of it? Well, here's what I *have* written, lazy uno hackers guide to porting, default paper size selection, various bits of http://wiki.documentfoundation.org/Development/FAQ http://wiki.documentfoundation.org/Development/String_Classes and bits and pieces like that. Generally stuff which gets asked of me a lot so its less time to write it up once than repeat it on every question, or stuff that was sufficiently difficult that I know I won't remember it in a few weeks time. Personally, I reckon developers hate wrong documentation more than they hate no documentation. I mean, they would be compelled by their natures to *fix* incorrect documentation far more than they could be motivated to write correct documentation in the first place ;-) C. As an aside, I think we can somewhat lower the barrier to entry a good bit here and there by removing the necessity for specific LibreOffice documentation, e.g. there's great work underway with the various macro-based list things to replace them with stl, so necessity to document libreoffice-specific code goes away when its the same stuff as found in any standard reference manual. -- Unsubscribe instructions: E-mail to steering-discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/steering-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[tdf-discuss] Board of Directors Candidacy: Caolán McNamara
Who am I: Reasonably experienced software developer, involved in LibreOffice and predecessors since 2000. Employed by Red Hat since 2005, and Sun Microsystems prior to that. What I do: Full time LibreOffice developer. All round code dogsbody but, historically at least, most interested in file format import/export, e.g. much of binary MSWord import/export code is my fault. I currently help man the documentfoundation security list, review code, fix bugs and dabble in an occasional new feature. Why I'd be useful: I'll make no great claims to my utility in organizing matters legal, but both as a fulltime developer on the project and as a representative of a growing number of LibreOffice developers at Red Hat, I believe I can help provide a helpful balance of interests in the board. Full Name email: Caolán McNamara caol...@redhat.com Cooperate Affiliation: Red Hat, Inc. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
[steering-discuss] Board of Directors Candidacy: Caolán McNamara
Who am I: Reasonably experienced software developer, involved in LibreOffice and predecessors since 2000. Employed by Red Hat since 2005, and Sun Microsystems prior to that. What I do: Full time LibreOffice developer. All round code dogsbody but, historically at least, most interested in file format import/export, e.g. much of binary MSWord import/export code is my fault. I currently help man the documentfoundation security list, review code, fix bugs and dabble in an occasional new feature. Why I'd be useful: I'll make no great claims to my utility in organizing matters legal, but both as a fulltime developer on the project and as a representative of a growing number of LibreOffice developers at Red Hat, I believe I can help provide a helpful balance of interests in the board. Full Name email: Caolán McNamara caol...@redhat.com Cooperate Affiliation: Red Hat, Inc. C. -- Unsubscribe instructions: E-mail to steering-discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/steering-discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Lotus Wordpro specifications? Other format specs?
On Tue, 2011-09-13 at 22:09 -0500, J.B. Nicholson-Owens wrote: Caolán McNamara wrote: We don't have a lot of these document for testing. Two actually :-), If one wanted to learn about the format of Lotus Wordpro files, where would one go to get specification information? Not sure really, I don't happen to have any docs myself. More than likely the old-school .lwp format we're talking about here is the same basic format as Ami Pro, so http://www.wotsit.org and the SAM Ami Pro format is possibly a place to start, and/or the lotuswordpro filter in LibreOffice. More generally, does TDF keep specs for various document formats online somewhere? Nope, well in general no. There are snippets about some formats here and there but typically no secret stash of file formats that aren't available generally on the web. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Lotus Wordpro specifications? Other format specs?
On Wed, 2011-09-14 at 16:23 +0200, Carlo Strata wrote: If there is a code that we can point to (and that we'll have to get to improve quality and interoperability) this is surely that of all Lotus native read/write filters!!! Of course! :-) ;-) The irony is that AOOo doesn't actually have a LotusWordPro import filter while LibreOffice does. Symphony might have one, but the source for that isn't available. There was an announcement a number of months ago that it would be, but no indication of a timeline as far as I understand. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Lotus Wordpro files
On Wed, 2011-08-31 at 11:06 -0400, subs wrote: On 8/31/2011 10:54 AM, Caolán McNamara wrote: We don't have a lot of these document for testing. Two actually :-), Sent this early. http://cgit.freedesktop.org/libreoffice/core/plain/lotuswordpro/qa/cppunit/data/pass/A14.lwp http://cgit.freedesktop.org/libreoffice/core/plain/lotuswordpro/qa/cppunit/data/pass/IntPres11-2004.lwp are the two docs, downloaded locally they work for me in 3.4. Do you have some docs, which you can share, which used to open in some LibO, or go-oo or something, which no longer do ? C. I could probably find a couple. Would you like me to email them directly to you? Not really, I'm looking more for public documents which could be worked into regular regression tests or into a document repository for occasional regression tests. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] how change macro security level?
On Mon, 2011-08-29 at 12:55 -0400, Terrence Enger wrote: On Mon, 2011-08-29 at 09:00 +0100, Caolán McNamara wrote: On Sun, 2011-08-28 at 07:34 -0400, Terrence Enger wrote: The remaining questions are ... Does anybody else share the problem of the ineffective MacroSecurity... button? No, works fine here. Does anybody care? Sure, but it works for me. Thank you. I shall relax about the issue until I know more. Its because of your --disable-mozilla. The relevant macro security dialog code is included in a library only built and installed when moz is included. Fixed this now in master to always include the dialog. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Lotus Wordpro files
On Wed, 2011-08-31 at 08:23 -0400, libo wrote: Is anyone able to open Lotus Wordpro files in any Version 3.4? 3.4.2 would generated a i/o error and 3.4.3 give me a blank file. We don't have a lot of these document for testing. Two actually :-), -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] Lotus Wordpro files
On Wed, 2011-08-31 at 15:51 +0100, Caolán McNamara wrote: On Wed, 2011-08-31 at 08:23 -0400, libo wrote: Is anyone able to open Lotus Wordpro files in any Version 3.4? 3.4.2 would generated a i/o error and 3.4.3 give me a blank file. We don't have a lot of these document for testing. Two actually :-), Sent this early. http://cgit.freedesktop.org/libreoffice/core/plain/lotuswordpro/qa/cppunit/data/pass/A14.lwp http://cgit.freedesktop.org/libreoffice/core/plain/lotuswordpro/qa/cppunit/data/pass/IntPres11-2004.lwp are the two docs, downloaded locally they work for me in 3.4. Do you have some docs, which you can share, which used to open in some LibO, or go-oo or something, which no longer do ? C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] how change macro security level?
On Sun, 2011-08-28 at 07:34 -0400, Terrence Enger wrote: The remaining questions are ... Does anybody else share the problem of the ineffective MacroSecurity... button? No, works fine here. Does anybody care? Sure, but it works for me. C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] identifying version of soffice.bin
On Sun, 2011-08-28 at 08:29 -0400, Terrence Enger wrote: Hello, all. Now that my system holds more than one build from master, my small mind is even more subject to confusion than it used to be. So, I wonder ... (*) Is there an easy way to display the build id of soffice.bin to the sysout or syserr? Well, because we use a continuous master we're now using git ids as the build-ids, i.e. the string in help about is derived from ./g -s log -n 1 --pretty=format:%h- at make dev-install/package generation time You can find that id in the install set in program/setuprc so grep buildid install/program/setuprc should match the output of ./g -s log -n 1 --pretty=format:%h- if there was no intervening pull C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [tdf-discuss] When can we have a API to send Emails ?
On Wed, 2011-06-22 at 14:18 +0200, Fernand Vanrie wrote: So please can someone make this small change in the API You *might* get some change out of the com.sun.star.mail.MailMessage service which implements XMailMessage which has a (horribly-complex) route to set the body of the email. (com.sun.star.mail.MailMessage is implemented by the emailmerge component while com.sun.star.system.SimpleSystemMail is implemented by something quite different) C. -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
