Date: prev next · Thread: first prev next last
2011 Archives by date, by thread · List index

On 11/22/2011 06:59 AM, Miyoshi Omori wrote:

Clean up is after 3.4.3.
Migrating to 3.4 is difficult, but have to do.
Nice to solve this problem.

Thank you

However... There has been no change to these links regarding 3.3.4:
[Despite the fact that Huzaifa Sidhpurwala reported that it is not a
security issue and "notabug" on 5-Oct-2011 (the same day as the LO
* cpe:/
* cpe:/a:libreoffice:libreoffice:3.3.0
* cpe:/a:libreoffice:libreoffice:3.3.1
* cpe:/a:libreoffice:libreoffice:3.3.2
* cpe:/a:libreoffice:libreoffice:3.3.3
* cpe:/a:libreoffice:libreoffice:3.3.4
* cpe:/a:libreoffice:libreoffice:3.4.0
* cpe:/a:libreoffice:libreoffice:3.4.1
* cpe:/a:libreoffice:libreoffice:3.4.2 and previous versions
* Denotes Vulnerable Software

In an earlier thread I specifically asked about 3.3.4 on 12 Oct:
where I was informed that the "security fix" was backported to 3.3.4.
So I don't know what to believe.

Gary Lee (NoOp)

2011/11/22 NoOp <>

On 11/20/2011 07:26 AM, Volker Merschmann wrote:

2011/11/20 Miyoshi Omori <>:
My request is  about information security.

Security issues have already been announced as, CVE-2011-2713
corresponds to a comment.
TDF as information, but said that it had been made LibreOffice
3.4.3 and 3.3.4  fixed.
According to NIST report,
3.3.4 is classified as a vulnerable version on this security issue.
If it is incorrect, could you formally request a modification of
information as TDF.
As a user, it is also a serious problem.

Thanks for reporting, I also think the information about 3.3.4 is
incorrect there.

Your mail has been forwarded to the security team.

[(CVE-2011-2713) CVE-2011-2713 Out-of-bounds read in DOC
sprm parser]
Status:         CLOSED NOTABUG

Huzaifa S. Sidhpurwala 2011-10-05 06:40:46 EDT

It initially appeared that this flaw may be exploitable similar to
CVE-2010-3452, where an OOB Read caused Arbitrary Code Execution. However
the case of this particular flaw, the junk data read is just parsed into an
internal representation of properties and the maximum harm this should
cause in
application crash (Denial Of Service).

- Reported to on 25-July-2011
- Recieved a reply (with
copied) on
the same date
- Release date changed with a few delays in between
- Release on 5-Oct-2011


This issue results in an OOB read which is not exploitable for arbitrary
execution and can simply cause a crash. We do not consider this as a

Unsubscribe instructions: E-mail to
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be

Unsubscribe instructions: E-mail to
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be deleted


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.