From owner-freebsd-ports-bugs@freebsd.org  Fri Feb  9 23:46:27 2018
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25BA9F0C6C0
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Fri,  9 Feb 2018 23:46:27 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B4FE47FB88
 for <freebsd-ports-bugs@FreeBSD.org>; Fri,  9 Feb 2018 23:46:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id D3FD421807
 for <freebsd-ports-bugs@FreeBSD.org>; Fri,  9 Feb 2018 23:46:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w19NkPqG039783
 for <freebsd-ports-bugs@FreeBSD.org>; Fri, 9 Feb 2018 23:46:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w19NkPlm039782
 for freebsd-ports-bugs@FreeBSD.org; Fri, 9 Feb 2018 23:46:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 225797] security/vuxml: Document vulnerability in LibreOffice
 (CVE-2018-6871 / CVE-2018-1055)
Date: Fri, 09 Feb 2018 23:46:25 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: patch, security
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: vlad-fbsd@acheronmedia.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 bug_file_loc op_sys bug_status keywords bug_severity priority component
 assigned_to reporter cc flagtypes.name attachments.created
Message-ID: <bug-225797-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 23:46:27 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225797

            Bug ID: 225797
           Summary: security/vuxml: Document vulnerability in LibreOffice
                    (CVE-2018-6871 / CVE-2018-1055)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.libreoffice.org/about-us/security/advisori
                    es/cve-2018-1055/
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: vlad-fbsd@acheronmedia.com
                CC: office@FreeBSD.org
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

Created attachment 190471
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D190471&action=
=3Dedit
Document CVE-2018-6871

"LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL
(e.g file://) which can be used to inject local files into the spreadsheet
without warning the user. Subsequent formulas can operate on that inserted =
data
and construct a remote URL whose path leaks the local data to a remote
attacker."

"In later versions of LibreOffice without this flaw, WEBSERVICE has now been
limited to accessing http and https URLs along with bringing WEBSERVICE URLs
under LibreOffice Calc's link management infrastructure."

* CVE-2018-6871

* Summary:
  https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055/

* NOTE:

  This vulnerability has been identified upstream as CVE-2018-1055,
  but NVD/Mitre are advising it's a reservation duplicate of
  CVE-2018-6871 which should be used instead.

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6871

--=20
You are receiving this mail because:
You are the assignee for the bug.=