Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Nov 2014 18:43:30 +0300
From: Alexander Cherepanov <>
CC: Michael Meeks <>,, Caolán McNamara
 <>, Miklos Vajna <>, 
 Moritz Muehlenhoff <>
Subject: Re: Re: CVE Request: LibreOffice -- several issues


[I'm CC'ing Michael Meeks, and
the guys from the cited thread. The start of the current thread is
here: .]

On 26.11.2014 10:46, wrote:
 >> Crash importing malformed .rtf -- potentially exploitable for RCE
 > Use CVE-2014-9093 for bug 86449.


 > (For reference, is
 > about finding a series of bugs in version 3.5.4 on Debian stable -- in
 > other words, a version based on a mid-2012 codebase -- and reporting
 > them directly upstream without commenting on 4.2.x or 4.3.x.)
 > For the others, in addition to the
 > post,

This post linked to Unfortunately,
the discussion there was quite brief and the only reason mentioned
seems to be a potentially sheer number of such issues. I don't feel
it's a valid reason without clearly documenting such an approach in
documentation intended for users (and for security researchers).

Then, in,
Moritz Muehlenhoff writes: "For an application profile such as an
office suite handing out CVE IDs to crash/CPU overload bug w/o
potential of code injection is a waste of time and impractical". This
is ambiguous as there are different office suite with different
behabvior in regard to crashes. E.g., crashed instance of AbiWord
doesn't take other windows with it.

Then, there is autosaving in LibreOffice. By default it's triggered
every 15 minutes. Hence only the last 15 minutes (or less) of work in
all windows is lost when a crash (or cpu load bug) happens (in default
configuration). This can also affect assessment of crashes as
non-/security issues. But it will be nice to explicitly state why and
which issues are considered non-/security.

 > "Michael
 > Meeks from indicated that they
 > are not interested in CVEs for DoS-only crashers" is also relevant.
 > This has multiple possible interpretations, e.g., "not interested"
 > because their security team won't track the issues using CVEs, or "not
 > interested" because they are not vulnerabilities.

I guess it will be better for folks from LibreOffice to comment on
this directly.

 > The "is a security
 > issue because it takes down all other windows with it" is often
 > relevant to CVE because it represents a default security policy if
 > there is no information from a vendor about their security policy.

Yes, that's what I got from your earlier emails. Thanks for confirming

 > However, a vendor is free to establish a security policy such as "if
 > you are working with a potentially untrusted file, you MUST NOT have
 > any other windows open in which you are maintaining state about your
 > other editing work." In other words, they can define all DoS-only
 > crashers to be applicable only in unsupported use cases.

And a vendor can even establish a security policy such as "you MUST
NOT work with potentially untrusted files". It's not ideal but it's
better to have a policy which accurately reflect the real
situation. (The example is speculative, I don't imply anything about
the real situation with LibreOffice.)

Unfortunately I don't see any such policy stated anywhere. One of the
natural places for it would be the page dedicated to security in
LibreOffice: . But it
doesn't touch the question of security policy. Instead, it links to
the list of security advisories: , which
happily lists several DoS issues: CVE-2012-4233, CVE-2013-4156. IMHO
this reaffrims the default security policy.

I don't see any security policy in the Help too.

Alexander Cherepanov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.