Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Nov 2014 16:48:50 +0000
From: Caolán McNamara <>
To: Alexander Cherepanov <>
        Michael Meeks
        Miklos Vajna <>, Moritz
 Muehlenhoff <>
Subject: Re: [Officesecurity] Re: CVE Request: LibreOffice --
 several issues

On Wed, 2014-11-26 at 18:43 +0300, Alexander Cherepanov wrote:
> , which
> happily lists several DoS issues: CVE-2012-4233, CVE-2013-4156. IMHO
> this reaffrims the default security policy.

>From our side, the page is generally intended to just list all resolved
CVEs which were opened wrt LibreOffice (and a few which were opened
against libraries bundled into upstream provided LibreOffice builds).
There's no filtering out of any CVEs logged about LibreOffice that might
be considered not significant.

Again, from our side, when presented with DoS documents we do tend to
push back against granting them security bug status. Not that we don't
think they are serious, just that we think they don't merit extra
special (time expensive) security level handing. I *think* 2012-4233 was
issued/requested directly by the discoverer high-tech bridge security
research. Maybe it initially looked a bit more serious than it turned

In other cases e.g. 2012-4156 the affected application is really Apache
OpenOffice not LibreOffice but the same document that corrupts AOO
causes us to deref a NULL and fall over so it got listed there because
we people asked about it, given our shared code base origin. (maybe
something similar was also the case for 2012-4233, I forget, it was
years ago)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.