SUSE SLED12 / SLES12 Security Update : Recommended update for LibreOffice (SUSE-SU-2018:1076-1)

High Nessus Plugin ID 109357

Synopsis

The remote SUSE host is missing one or more security updates.

Description

LibreOffice was updated to version 6.0.3. Following new features were added :

- The Notebookbar, although still an experimental feature, has been enriched with two new variants: Grouped Bar Full for Writer, Calc and Impress, and Tabbed Compact for Writer. The Special Characters dialog has been reworked, with the addition of lists for Recent and Favorite characters, along with a Search field. The Customize dialog has also been redesigned, and is now more modern and intuitive.

- In Writer, a Form menu has been added, making it easier to access one of the most powerful – and often unknown –
LibreOffice features: the ability to design forms, and create standards-compliant PDF forms. The Find toolbar has been enhanced with a drop-down list of search types, to speed up navigation. A new default table style has been added, together with a new collection of table styles to reflect evolving visual trends.

- The Mail Merge function has been improved, and it is now possible to use either a Writer document or an XLSX file as data source.

- In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have been added, to improve support for the ISO standard format. Also, a cell range selection or a selected group of shapes (images) can be now exported in PNG or JPG format.

- In Impress, the default slide size has been switched to 16:9, to support the most recent form factors of screens and projectors. As a consequence, 10 new Impress templates have been added, and a couple of old templates have been updated. Changes in components :

- The old WikiHelp has been replaced by the new Help Online system, with attractive web pages that can also be displayed on mobile devices. In general, LibreOffice Help has been updated both in terms of contents and code, with other improvements due all along the life of the LibreOffice 6 family.

- User dictionaries now allow automatic affixation or compounding. This is a general spell checking improvement in LibreOffice which can speed up work for Writer users. Instead of manually handling several forms of a new word in a language with rich morphology or compounding, the Hunspell spell checker can automatically recognize a new word with affixes or compounds, based on a “Grammar By” model.
Security features and changes :

- OpenPGP keys can be used to sign ODF documents on all desktop operating systems, with experimental support for OpenPGP-based encryption. To enable this feature, users will have to install the specific GPG software for their operating systems.

- Document classification has also been improved, and allows multiple policies (which are now exported to OOXML files). In Writer, marking and signing are now supported at paragraph level. Interoperability changes :

- OOXML interoperability has been improved in several areas: import of SmartArt and import/export of ActiveX controls, support of embedded text documents and spreadsheets, export of embedded videos to PPTX, export of cross-references to DOCX, export of MailMerge fields to DOCX, and improvements to the PPTX filter to prevent the creation of broken files.

- New filters for exporting Writer documents to ePub and importing QuarkXPress files have also been added, together with an improved filter for importing EMF+ (Enhanced Metafile Format Plus) files as used by Microsoft Office documents. Some improvements have also been added to the ODF export filter, making it easier for other ODF readers to display visuals. The full blog entry for the 6.0 release can be found here:
	https://blog.documentfoundation.org/blog/2018/01/31/ libreoffice-6/ The full release notes can be found here:
	https://wiki.documentfoundation.org/ReleaseNotes/6.0 The libraries that LibreOffice depends on also have been udpated to their current versions.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch SUSE-SLE-WE-12-SP3-2018-735=1

SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-735=1

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-735=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-735=1

SUSE CaaS Platform ALL :

To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

See Also

https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/

https://bugzilla.suse.com/show_bug.cgi?id=1042829

https://bugzilla.suse.com/show_bug.cgi?id=1077375

https://bugzilla.suse.com/show_bug.cgi?id=1080249

https://bugzilla.suse.com/show_bug.cgi?id=1083213

https://bugzilla.suse.com/show_bug.cgi?id=1083993

https://bugzilla.suse.com/show_bug.cgi?id=1088662

https://bugzilla.suse.com/show_bug.cgi?id=1089124

https://wiki.documentfoundation.org/ReleaseNotes/6.0

https://www.suse.com/security/cve/CVE-2017-9432/

https://www.suse.com/security/cve/CVE-2017-9433/

https://www.suse.com/security/cve/CVE-2018-1055/

https://www.suse.com/security/cve/CVE-2018-6871/

http://www.nessus.org/u?94e071c5

Plugin Details

Severity: High

ID: 109357

File Name: suse_SU-2018-1076-1.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2018/04/26

Updated: 2018/12/01

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:gnome-documents, p-cpe:/a:novell:suse_linux:gnome-documents-debugsource, p-cpe:/a:novell:suse_linux:gnome-documents_books-common, p-cpe:/a:novell:suse_linux:gnome-documents_books-common-debuginfo, p-cpe:/a:novell:suse_linux:gnome-shell-search-provider-documents, p-cpe:/a:novell:suse_linux:libboost_atomic1_54_0, p-cpe:/a:novell:suse_linux:libboost_atomic1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_date_time1_54_0, p-cpe:/a:novell:suse_linux:libboost_date_time1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_filesystem1_54_0, p-cpe:/a:novell:suse_linux:libboost_filesystem1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_iostreams1_54_0, p-cpe:/a:novell:suse_linux:libboost_iostreams1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_locale1_54_0, p-cpe:/a:novell:suse_linux:libboost_locale1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_program_options1_54_0, p-cpe:/a:novell:suse_linux:libboost_program_options1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_random1_54_0, p-cpe:/a:novell:suse_linux:libboost_random1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_regex1_54_0, p-cpe:/a:novell:suse_linux:libboost_regex1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_signals1_54_0, p-cpe:/a:novell:suse_linux:libboost_signals1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_system1_54_0, p-cpe:/a:novell:suse_linux:libboost_system1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libboost_thread1_54_0, p-cpe:/a:novell:suse_linux:libboost_thread1_54_0-debuginfo, p-cpe:/a:novell:suse_linux:libepubgen-0_1, p-cpe:/a:novell:suse_linux:libepubgen-0_1-1-debuginfo, p-cpe:/a:novell:suse_linux:libepubgen-debugsource, p-cpe:/a:novell:suse_linux:libixion-0_13, p-cpe:/a:novell:suse_linux:libixion-0_13-0-debuginfo, p-cpe:/a:novell:suse_linux:libixion-debugsource, p-cpe:/a:novell:suse_linux:libmwaw-0_3, p-cpe:/a:novell:suse_linux:libmwaw-0_3-3-debuginfo, p-cpe:/a:novell:suse_linux:libmwaw-debugsource, p-cpe:/a:novell:suse_linux:liborcus-0_13, p-cpe:/a:novell:suse_linux:liborcus-0_13-0-debuginfo, p-cpe:/a:novell:suse_linux:liborcus-debugsource, p-cpe:/a:novell:suse_linux:libqxp-0_0, p-cpe:/a:novell:suse_linux:libqxp-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:libqxp-debugsource, p-cpe:/a:novell:suse_linux:libreoffice, p-cpe:/a:novell:suse_linux:libreoffice-base, p-cpe:/a:novell:suse_linux:libreoffice-base-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-calc, p-cpe:/a:novell:suse_linux:libreoffice-calc-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-calc-extensions, p-cpe:/a:novell:suse_linux:libreoffice-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-debugsource, p-cpe:/a:novell:suse_linux:libreoffice-draw, p-cpe:/a:novell:suse_linux:libreoffice-draw-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-filters-optional, p-cpe:/a:novell:suse_linux:libreoffice-gnome, p-cpe:/a:novell:suse_linux:libreoffice-gnome-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-gtk2, p-cpe:/a:novell:suse_linux:libreoffice-gtk2-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-impress, p-cpe:/a:novell:suse_linux:libreoffice-impress-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-mailmerge, p-cpe:/a:novell:suse_linux:libreoffice-math, p-cpe:/a:novell:suse_linux:libreoffice-math-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-officebean, p-cpe:/a:novell:suse_linux:libreoffice-officebean-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-pyuno, p-cpe:/a:novell:suse_linux:libreoffice-pyuno-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-writer, p-cpe:/a:novell:suse_linux:libreoffice-writer-debuginfo, p-cpe:/a:novell:suse_linux:libreoffice-writer-extensions, p-cpe:/a:novell:suse_linux:libstaroffice-0_0, p-cpe:/a:novell:suse_linux:libstaroffice-0_0-0-debuginfo, p-cpe:/a:novell:suse_linux:libstaroffice-debugsource, p-cpe:/a:novell:suse_linux:libwps-0_4, p-cpe:/a:novell:suse_linux:libwps-0_4-4-debuginfo, p-cpe:/a:novell:suse_linux:libwps-debugsource, p-cpe:/a:novell:suse_linux:myspell-dictionaries, p-cpe:/a:novell:suse_linux:myspell-lightproof-en, p-cpe:/a:novell:suse_linux:myspell-lightproof-hu_HU, p-cpe:/a:novell:suse_linux:myspell-lightproof-pt_BR, p-cpe:/a:novell:suse_linux:myspell-lightproof-ru_RU, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/04/25

Reference Information

CVE: CVE-2017-9432, CVE-2017-9433, CVE-2018-1055, CVE-2018-6871