openSUSE Security Update : LibreOffice and related libraries (openSUSE-2016-273)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for LibreOffice and some library dependencies
(cmis-client, libetonyek, libmwaw, libodfgen, libpagemaker,
libreoffice-share-linker, mdds, libwps) fixes the following issues :

Changes in libreoffice :

- Provide l10n-pt from pt-PT

- boo#945047 - LO-L3: LO is duplicating master pages,
extended fix

- boo#951579 - LO-L3: [LibreOffice] Calc 5.0 fails to open
ods files

- deleted RPATH prevented loading of bundled 3rd party RDF
handler libs

- Version update to 5.0.4.2 :

- Final of the 5.0.4 series

- boo#945047 - LO-L3: LO is duplicating master pages

- Version update to 5.0.4.1 :

- rc1 of 5.0.4 with various regression fixes

- boo#954345 - LO-L3: Insert-->Image-->Insert as Link
hangs writer

- Version update to 5.0.3.2 :

- Final tag of 5.0.3 release

- Fix boo#939996 - LO-L3: Some bits from DOCX file are not
imported

- Fix boo#889755 - LO-L3: PPTX: chart axis number format
incorrect

- boo#679938 - LO-L3: saving to doc file the chapter name
in the header does not change with chapters

- Version update to 5.0.3RC1 as it should fix i586 test
failure

- Update text2number extension to 1.5.0

- obsolete libreoffice-mono

- pentaho-flow-reporting require is conditional on
system_libs

- Update icon theme dependencies

- https://lists.debian.org/debian-openoffice/2015/09/msg00343.html

- Version bump to 5.0.2 final fate#318856 fate#319071
boo#943075 boo#945692 :

- Small tweaks compared to rc1

- For sake of completion this release also contains
security fixes for boo#910806 CVE-2014-8147, boo#907636
CVE-2014-9093, boo#934423 CVE-2015-4551, boo#910805
CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190
CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423
CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805
CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190
CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423
CVE-2015-45513, boo#934423 CVE-2015-4551, boo#910805
CVE-2014-8146, boo#940838 CVE-2015-5214, boo#936190
CVE-2015-5213, boo#936188 CVE-2015-5212, boo#934423
CVE-2015-4551

- Use gcc48 to build on sle11sp4

- Make debuginfo's smaller on IBS.

- Fix chrpath call after the libs got -lo suffixing

- Add patch to fix qt4 features detection :

- kde4filepicker.patch

- Split out gtk3 UI to separate subpkg that requires gnome
subpkg

- This is to allow people to test gtk3 while it not being
default

- Version update to 5.0.2 rc1 :

- Various small tweaks and integration of our SLE11
patchsets

- Update constraints to 30 GB on disk

- Version bump to 5.0.1 rc2 :

- breeze icons extension

- Credits update

- Various small fixes

- Version bump to 5.0.1 rc1 :

- Various small fixes

- Has some commits around screen rendering -> could fix
kde bugs

- Kill branding-openSUSE, stick to TDF branding.

- Version bump to 5.0 rc5 :

- Bunch of final touchups here and there

- Remove some upstreamed patches :

- old-cairo.patch

- Add explicit requires over libmysqlclient_r18, should
cover boo#829430

- Add patch to build with old cairo (sle11).

- Version bump to 5.0 rc3 :

- Various more fixes closing on the 5.0 release

- Update to 5.0 rc2 :

- Few small fixes and updates in internal libraries

- Version bump to 5.0 rc1, remove obsolete patches :

-
0001-Fix-could-not-convert-.-const-char-to-const-rtl-OUS
t.patch

- 0001-writerperfect-fix-gcc-4.7-build.patch

- More chrpat love for sle11

- Add python-importlib to build/requirements on py2
distros

- Provide/obsolete crystal icons so they are purged and
not left over

- Fix breeze icons handling, drop crystal icons.

- Version bump to 5.0.0.beta3 :

- Drop merged patch
0001-Make-cpp-poppler-version.h-header-optional.patch

- Update some internal tarballs so we keep building

- based on these bumps update the buildrequires too

- Generate python cache files wrt boo#929793

- Update %post scriptlets to work on sle11 again

- Split out the share -> lib linker to hopefully allow
sle11 build

- One more fix for help handling boo#915996

- Version bump to 4.4.3 release :

- Various small fixes all around

- Disable verbose build to pass check on maximal size of
log

- We need pre/post for libreoffice in langpkgs

- Use old java for detection and old commons-lang/codec to
pass brp check on java from sle11

- 0001-Make-HAVE_JAVA6-be-always-false.patch

- Revert last changeset, it is caused by something else
this time :

- 0001-Set-source-and-target-params-for-java.patch

- Set source/target for javac when building to work on
SLE11 :

- 0001-Set-source-and-target-params-for-java.patch

- Try to deal with rpath on bundled libs

- Fix python3_sitelib not being around for py2

- Add internal make for too old system

- One more stab on poppler switch :

- 0001-Make-cpp-poppler-version.h-header-optional.patch

- Update the old-poppler patch to work correctly :

- 0001-Make-cpp-poppler-version.h-header-optional.patch

- Sort out more external tarballs for the no-system-libs
approach

- Add basic external tarballs needed for
without-system-libraries

- Add patch to check for poppler more nicely to work on
older distros :

- 0001-Make-cpp-poppler-version.h-header-optional.patch

- Try to pass configure without system libs

- Allow switch between py2 and py3

- Move external dependencies in conditional thus allow
build on SLE11

- Add conditional for noarch subpackages

- Add switch in configure to detect more of
internal/external stuff

- Add conditional for appdatastore thing and redo it to
impact the spec less

- Add systemlibs switch to be used in attempt to build
sle11 build

- Silence more scarry messages by boo#900186

- Fixes autocorr symlinking

- Cleans UNO cache in more pretty way

- Clean up the uno cache removal to not display scarry
message boo#900186

- Remove patch to look for help in /usr/share, we symlink
it back to lib, so there is no actual need to search for
it directly, migth fix boo#915996 :

- officecfg-help-in-usr-share.diff

- --disable-collada

- reportedly it does not work in LibreOffice 4.4

- added version numbers to some BuildRequires lines

- Require flow engine too on base

- Fix build on SLE12 and 13.1 by adding conditional for
appdata install

- Fixup the installed appdata.xml files: they reference a
.desktop file that are not installed by libreoffice
(boo#926375).

- Version bump to 4.4.2 :

- 2nd bugfix update for the 4.4 series

- BuildRequires: libodfgen-devel >= 0.1

- added version numbers to some BuildRequires lines

- build does not require python3-lxml

- build requires librevenge-devel >= 0.0.1

- vlc media backend is broken, don't use it. Only
gstreamer should be used.

- Install the .appdata.xml files shipped by upstream:
allow LO to be shown in AppStream based software
centers.

- Move pretrans to pre

- Version bump to 4.4.1 first bugfix release of the series

- Reduce bit the compilation preparations as we prepped
most of the things by _constraints and it is no longer
needed

- %pre is not enough the script needs to be rewritten in
lua

- Move removal of obsolete dirs from %pretrans to %pre
boo#916181

- Version bump to 4.4.0 final :

- First in the 4.4 series

- First release to have the new UI elements without old
hardcoded sizes

- Various improvements all around.

- Version bump to 4.4.0rc2 :

- Various bugfixes, just bumping to see if we still build
fine.

- That verbose switch for configure was really really bad
idea

- generic images.zip for galaxy icons seem gone so remove

- Do not supplement kde3 stuff, it is way beyond obsolete

- Remove vlc conditional

- korea.xcd is no more so remove

- Really use mergelib

- Disable telepathy, it really is experimental like hell

- Version bump to 4.4.0rc1 :

- New 4.4 branch release with additional features

- Enable collada :

- New bundled collada2gltf tarball:
4b87018f7fff1d054939d19920b751a0-collada2gltf-master-cb1
d97788a.tar.bz2

- Remove errorous self-obsolete in lang pkgs.

- Version bump to 4.3.3.2 :

- Various bugfixes from maintenance branch to copy
openSUSE.

- Also contains fix for boo#900214 and boo#900218
CVE-2014-3693

- fix regression in bullets (boo#897903).

- Add masterpage_style_parent.odp as new file for
regression test for bullets. Changes in cmis-client :

- Update to version 0.5.0

+ Completely removed the dependency on InMemory server for
unit tests

+ Minimized the number of HTTP requests sent by
SessionFactory::createSession

+ Added Session::getBaseTypes()

- Bump soname to 0_5-5

- Bump incname to 0.5

Changes in libetonyek :

- Version bump to 0.1.3 :

- Various small fixes

- More imported now imported

- Now use mdds to help with some hashing

- Version bump to 0.1.2 :

- Initial support for pages and numbers

- Ditch libetonyek-0.1.1-constants.patch as we do not
require us to build for older boost

Changes in libmwaw :

- Version bump to 0.3.6 :

- Added a minimal parser for ApplePict v1.v2, ie. no
clipping, does not take in account the copy mode:
srcCopy, srcOr, ...

- Extended the --with-docs configure option to allow to
build doc only for the API classes:
--with-docs=no|api|full .

- Added a parser for MacDraft v4-v5 documents.

- RagTime v5-v6 parser: try to retrieve the main layouts
and the picture/shape/textbox, ie. now, it generates
result but it is still very imcomplete...

- MWAW{Graphic,Presentation,Text}Listener: corrected a
problem in openGroup which may create to incorrect
document.

- Created an MWAWEmbeddedObject class to store a picture
with various representations.

- MWAW*Listener: renamed insertPicture to insertShape,
added a function to insert a texbox in a
MWAWGraphicShape (which only insert a basic textbox).

- Fixed many crashes and hangs when importing broken
files, found with the help of american-fuzzy-lop.

- And several other minor fixes and improvements.

- Version bump to 0.3.5

- Various small fixes on 0.3 series, nothing big woth
mention

Changes in libodfgen :

- Version bump to 0.1.4 :

- drawing interface: do no forget to call
startDocument/endDocument when writing in the manifest

- metadata: added handler for 'template' metadata, unknown
metadata are written in a meta:user-defined elements,

- defineSheetNumberingStyle: can now define styles for the
whole document (and not only for the actual sheet)

- update doxygen configuration file + add a make astyle
command

- Allow writing meta:creation-date metadata element for
drawings and presentations too.

- Improve handling of headings. Most importantly, write
valid ODF.

- Write meta:generator metadata element.

- Add initial support for embedded fonts. It is currently
limited to Flat ODF output.

- Upgrade to version 0.1.2

- Use text:h element for headings. Any paragraph with
text:outline-level property is recognized as a heading.

- Handle layers.

- Improve handling of styles. Particularly, do not emit
duplicate styles.

- Slightly improve documentation.

- Handle master pages.

- Do not expect that integer properties are always in
inches.

- Fix misspelled style:paragraph-properties element in
presentation notes.

- Only export public symbols on Linux.

- Fix bogus XML-escaping of metadata values.

- And many other improvements and fixes.

Changes in libpagemaker :

- Initial package based on upstream libpagemaker 0.0.2

Changes in libreoffice-share-linker :

- Initial commit, split out from main libreoffice package
to workaround issues on SLE11 build Changes in mdds :

- Update to version 0.12.1 :

- Various small fixes on 0.12 series

- Just move define up and comment why we redefine docdir

- more types are possible in segment_tree data structures
(previously only pointers were possible)

- added sorted_string_map

- multi_type_vector bugfixes Changes in libwps :

- Update to version 0.4.1 :

+ QuattroPro: correct a mistake when reading negative
cell's position.

+ Fix some Windows build problems.

+ Fix more than 10 hangs when reading damaged files, found
with the help of american-fuzzy-lop.

+ Performance: improve the sheet's output generation.

+ add support for unknown encoding files (ie. DOS file)

+ add potential support for converting Lotus, ...
documents,

+ accept to convert all Lotus Wk1 files and Symphony Wk1
files,

+ add support for Lotus Wk3 and Wk4 documents,

+ add support for Quattro Pro Wq1 and Wq2 documents,

+ only in debug mode, add pre-support for Lotus Wk5...,
must allow to retrieve the main sheets content's with no
formatting,

+ add potential support for asking the document's password
( but do nothing )

+ correct some compiler warnings when compiling in debug
mode.

+ Fix parsing of floating-point numbers in specific cases.

+ Fix several minor issues reported by Coverity and Clang.

+ Check arguments of public functions. Passing NULL no
longer causes a crash.

+ Use symbol visibility on Linux. The library only exports
the public functions now.

+ Import @TERM and @CTERM functions (fdo#86241).

+ Handle LICS character encoding in spreadsheets
(fdo#87222).

+ Fix a crash when reading a broken file, found with the
help of american-fuzzy-lop.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=679938
https://bugzilla.opensuse.org/show_bug.cgi?id=829430
https://bugzilla.opensuse.org/show_bug.cgi?id=889755
https://bugzilla.opensuse.org/show_bug.cgi?id=897903
https://bugzilla.opensuse.org/show_bug.cgi?id=900186
https://bugzilla.opensuse.org/show_bug.cgi?id=900214
https://bugzilla.opensuse.org/show_bug.cgi?id=900218
https://bugzilla.opensuse.org/show_bug.cgi?id=907636
https://bugzilla.opensuse.org/show_bug.cgi?id=910805
https://bugzilla.opensuse.org/show_bug.cgi?id=910806
https://bugzilla.opensuse.org/show_bug.cgi?id=915996
https://bugzilla.opensuse.org/show_bug.cgi?id=916181
https://bugzilla.opensuse.org/show_bug.cgi?id=926375
https://bugzilla.opensuse.org/show_bug.cgi?id=929793
https://bugzilla.opensuse.org/show_bug.cgi?id=934423
https://bugzilla.opensuse.org/show_bug.cgi?id=936188
https://bugzilla.opensuse.org/show_bug.cgi?id=936190
https://bugzilla.opensuse.org/show_bug.cgi?id=939996
https://bugzilla.opensuse.org/show_bug.cgi?id=940838
https://bugzilla.opensuse.org/show_bug.cgi?id=943075
https://bugzilla.opensuse.org/show_bug.cgi?id=945047
https://bugzilla.opensuse.org/show_bug.cgi?id=945692
https://bugzilla.opensuse.org/show_bug.cgi?id=951579
https://bugzilla.opensuse.org/show_bug.cgi?id=954345
https://lists.debian.org/debian-openoffice/2015/09/msg00343.html

Solution :

Update the affected LibreOffice and related libraries packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 89016 ()

Bugtraq ID:

CVE ID: CVE-2014-3693
CVE-2014-8146
CVE-2014-8147
CVE-2014-9093
CVE-2015-4551
CVE-2015-45513
CVE-2015-5212
CVE-2015-5213
CVE-2015-5214

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now