Security update for LibreOffice

Announcement ID:	SUSE-SU-2024:0075-1
Rating:	important
References:	bsc#1198666 bsc#1200085 bsc#1204040 bsc#1209242 bsc#1210687 bsc#1211746 jsc#PED-1785 jsc#PED-3550 jsc#PED-3561
Cross-References:	CVE-2023-0950 CVE-2023-2255
CVSS scores:	CVE-2023-0950 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H CVE-2023-0950 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-2255 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2023-2255 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 12-SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9

An update that solves two vulnerabilities, contains three features and has four security fixes can now be installed.

Description:

This update for LibreOffice fixes the following issues:

libreoffice:

• Version update from 7.3.6.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#PED-1785):
• For the highlights of changes of version 7.5 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.5
• For the highlights of changes of version 7.4 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.4
• Security issues fixed:
  • CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242)
  • CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746)
• Bug fixes:
  • Fix PPTX shadow effect for table offset (bsc#1204040)
  • Fix ability to set the default tab size for each text object (bsc#1198666)
  • Fix PPTX extra vertical space between different text formats (bsc#1200085)
  • Do not use binutils-gold as the package is unmaintainedd and will be removed in the future (bsc#1210687)
• Updated bundled dependencies:
  • boost version update from 1_77_0 to 1_80_0
  • curl version update from 7.83.1 to 8.0.1
  • icu4c-data version update from 70_1 to 72_1
  • icu4c version update from 70_1 to 72_1
  • pdfium version update from 4699 to 5408
  • poppler version update from 21.11.0 to 22.12.0
  • poppler-data version update from 0.4.10 to 0.4.11
  • skia version from m97-a7230803d64ae9d44f4e128244480111a3ae967 to m103-b301ff025004c9cd82816c86c547588e6c24b466
• New build dependencies:
  • fixmath-devel
  • libwebp-devel
  • zlib-devel
  • dragonbox-devel
  • at-spi2-core-devel
  • libtiff-devel

dragonbox:

• New package at version 1.1.3 (jsc#PED-1785)
  • New dependency for LibreOffice 7.4

fixmath:

• New package at version 2022.07.20 (jsc#PED-1785)
  • New dependency for LibreOffice 7.4

libmwaw:

• Version update from 0.3.20 to 0.3.21 (jsc#PED-1785):
• Add debug code to read some private rsrc data
• Allow to read some MacWrite which does not have printer informations
• Add a parser for Scoop files
• Add a parser for ScriptWriter files
• Add a parser for ReadySetGo 1-4 files

xmlsec1:

• Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550):
• Retired the XMLSec mailing list "xmlsec@aleksey.com" and the XMLSec Online Signature Verifier.
• Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use --enable-openssl3-engines configure flag (there will be a lot of deprecation warnings).
• The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library.
• Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled -Werror and -pedantic flags on CI builds.
• Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
• Support for OpenSSL compiled with OPENSSL_NO_ERR.
• Full support for LibreSSL 3.5.0 and above
• Several other small fixes
• Fix decrypting session key for two recipients
• Added --privkey-openssl-engine option to enhance openssl engine support
• Remove MD5 for NSS 3.59 and above
• Fix PKCS12_parse return code handling
• Fix OpenSSL lookup
• xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice
• Unload error strings in OpenSSL shutdown.
• Make userData available when executing preExecCallback function
• Add an option to use secure memset.
• Enabled XML_PARSE_HUGE for all xml parsers.
• Various build and tests fixes and improvements.
• Move remaining private header files away from xmlsec/include/`` folder
• Other packaging changes:
• Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass.
• Pass --disable-md5 to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 9
  zypper in -t patch SUSE-OpenStack-Cloud-9-2024-75=1
• SUSE OpenStack Cloud Crowbar 9
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2024-75=1
• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-75=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-75=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-75=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-75=1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5
  zypper in -t patch SUSE-SLE-WE-12-SP5-2024-75=1

Package List:

• SUSE OpenStack Cloud 9 (x86_64)
  • libxmlsec1-gnutls1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-32bit-2.28.1-6.5.23
  • atk-debugsource-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • libxmlsec1-openssl1-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-nss1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-2.28.1-6.5.23
  • libatk-1_0-0-2.28.1-6.5.23
  • libxmlsec1-1-1.2.37-8.6.21
  • typelib-1_0-Atk-1_0-2.28.1-6.5.23
  • libxmlsec1-1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • libxmlsec1-openssl1-debuginfo-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gnutls1-1.2.37-8.6.21
  • libxmlsec1-nss1-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-32bit-2.28.1-6.5.23
• SUSE OpenStack Cloud 9 (noarch)
  • atk-lang-2.28.1-6.5.23
  • atk-doc-2.28.1-6.5.23
• SUSE OpenStack Cloud Crowbar 9 (x86_64)
  • libxmlsec1-gnutls1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-32bit-2.28.1-6.5.23
  • atk-debugsource-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • libxmlsec1-openssl1-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-nss1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-2.28.1-6.5.23
  • libatk-1_0-0-2.28.1-6.5.23
  • libxmlsec1-1-1.2.37-8.6.21
  • typelib-1_0-Atk-1_0-2.28.1-6.5.23
  • libxmlsec1-1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • libxmlsec1-openssl1-debuginfo-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gnutls1-1.2.37-8.6.21
  • libxmlsec1-nss1-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-32bit-2.28.1-6.5.23
• SUSE OpenStack Cloud Crowbar 9 (noarch)
  • atk-lang-2.28.1-6.5.23
  • atk-doc-2.28.1-6.5.23
• SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
  • xmlsec1-openssl-devel-1.2.37-8.6.21
  • libmwaw-devel-0.3.21-7.24.14
  • libmwaw-0_3-3-0.3.21-7.24.14
  • atk-debugsource-2.28.1-6.5.23
  • atk-devel-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • xmlsec1-gnutls-devel-1.2.37-8.6.21
  • xmlsec1-gcrypt-devel-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • xmlsec1-devel-1.2.37-8.6.21
  • xmlsec1-nss-devel-1.2.37-8.6.21
  • libmwaw-debugsource-0.3.21-7.24.14
• SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch)
  • libmwaw-devel-doc-0.3.21-7.24.14
• SUSE Linux Enterprise Software Development Kit 12 SP5 (x86_64)
  • libreoffice-debuginfo-7.5.4.1-48.44.2
  • libreoffice-sdk-7.5.4.1-48.44.2
  • libreoffice-sdk-debuginfo-7.5.4.1-48.44.2
  • libreoffice-debugsource-7.5.4.1-48.44.2
• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • libxmlsec1-gnutls1-debuginfo-1.2.37-8.6.21
  • atk-debugsource-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • libxmlsec1-openssl1-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-nss1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-2.28.1-6.5.23
  • libatk-1_0-0-2.28.1-6.5.23
  • libxmlsec1-1-1.2.37-8.6.21
  • typelib-1_0-Atk-1_0-2.28.1-6.5.23
  • libxmlsec1-1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • libxmlsec1-openssl1-debuginfo-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gnutls1-1.2.37-8.6.21
  • libxmlsec1-nss1-1.2.37-8.6.21
• SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch)
  • atk-lang-2.28.1-6.5.23
  • atk-doc-2.28.1-6.5.23
• SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64)
  • libatk-1_0-0-32bit-2.28.1-6.5.23
  • libatk-1_0-0-debuginfo-32bit-2.28.1-6.5.23
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • libxmlsec1-gnutls1-debuginfo-1.2.37-8.6.21
  • atk-debugsource-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • libxmlsec1-openssl1-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-nss1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-2.28.1-6.5.23
  • libatk-1_0-0-2.28.1-6.5.23
  • libxmlsec1-1-1.2.37-8.6.21
  • typelib-1_0-Atk-1_0-2.28.1-6.5.23
  • libxmlsec1-1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • libxmlsec1-openssl1-debuginfo-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gnutls1-1.2.37-8.6.21
  • libxmlsec1-nss1-1.2.37-8.6.21
• SUSE Linux Enterprise Server 12 SP5 (noarch)
  • atk-lang-2.28.1-6.5.23
  • atk-doc-2.28.1-6.5.23
• SUSE Linux Enterprise Server 12 SP5 (s390x x86_64)
  • libatk-1_0-0-32bit-2.28.1-6.5.23
  • libatk-1_0-0-debuginfo-32bit-2.28.1-6.5.23
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • libxmlsec1-gnutls1-debuginfo-1.2.37-8.6.21
  • atk-debugsource-2.28.1-6.5.23
  • xmlsec1-1.2.37-8.6.21
  • libxmlsec1-openssl1-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-nss1-debuginfo-1.2.37-8.6.21
  • libatk-1_0-0-debuginfo-2.28.1-6.5.23
  • libatk-1_0-0-2.28.1-6.5.23
  • libxmlsec1-1-1.2.37-8.6.21
  • typelib-1_0-Atk-1_0-2.28.1-6.5.23
  • libxmlsec1-1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gcrypt1-1.2.37-8.6.21
  • xmlsec1-debugsource-1.2.37-8.6.21
  • libxmlsec1-openssl1-debuginfo-1.2.37-8.6.21
  • xmlsec1-debuginfo-1.2.37-8.6.21
  • libxmlsec1-gnutls1-1.2.37-8.6.21
  • libxmlsec1-nss1-1.2.37-8.6.21
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
  • atk-lang-2.28.1-6.5.23
  • atk-doc-2.28.1-6.5.23
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64)
  • libatk-1_0-0-32bit-2.28.1-6.5.23
  • libatk-1_0-0-debuginfo-32bit-2.28.1-6.5.23
• SUSE Linux Enterprise Workstation Extension 12 12-SP5 (x86_64)
  • libreoffice-librelogo-7.5.4.1-48.44.2
  • libreoffice-writer-debuginfo-7.5.4.1-48.44.2
  • libreoffice-gtk3-debuginfo-7.5.4.1-48.44.2
  • libreoffice-impress-debuginfo-7.5.4.1-48.44.2
  • libreoffice-math-debuginfo-7.5.4.1-48.44.2
  • libreoffice-officebean-7.5.4.1-48.44.2
  • libreoffice-officebean-debuginfo-7.5.4.1-48.44.2
  • fixmath-devel-2022.07.20-8.3.48
  • libreoffice-impress-7.5.4.1-48.44.2
  • libmwaw-0_3-3-debuginfo-0.3.21-7.24.14
  • libreoffice-math-7.5.4.1-48.44.2
  • libreoffice-draw-7.5.4.1-48.44.2
  • libreoffice-pyuno-debuginfo-7.5.4.1-48.44.2
  • dragonbox-devel-1.1.3-8.3.48
  • libreoffice-calc-extensions-7.5.4.1-48.44.2
  • libreoffice-draw-debuginfo-7.5.4.1-48.44.2
  • libreoffice-debuginfo-7.5.4.1-48.44.2
  • libreoffice-gnome-debuginfo-7.5.4.1-48.44.2
  • libreoffice-calc-debuginfo-7.5.4.1-48.44.2
  • libreoffice-calc-7.5.4.1-48.44.2
  • libmwaw-debugsource-0.3.21-7.24.14
  • libreoffice-gtk3-7.5.4.1-48.44.2
  • libreoffice-7.5.4.1-48.44.2
  • libreoffice-writer-7.5.4.1-48.44.2
  • libreoffice-base-drivers-postgresql-7.5.4.1-48.44.2
  • libreoffice-gnome-7.5.4.1-48.44.2
  • libreoffice-filters-optional-7.5.4.1-48.44.2
  • libreoffice-mailmerge-7.5.4.1-48.44.2
  • libreoffice-base-debuginfo-7.5.4.1-48.44.2
  • libreoffice-base-7.5.4.1-48.44.2
  • libreoffice-debugsource-7.5.4.1-48.44.2
  • libmwaw-0_3-3-0.3.21-7.24.14
  • libreoffice-writer-extensions-7.5.4.1-48.44.2
  • libreoffice-base-drivers-postgresql-debuginfo-7.5.4.1-48.44.2
  • libreoffice-pyuno-7.5.4.1-48.44.2
• SUSE Linux Enterprise Workstation Extension 12 12-SP5 (noarch)
  • libreoffice-l10n-af-7.5.4.1-48.44.2
  • libreoffice-branding-upstream-7.5.4.1-48.44.2
  • libreoffice-l10n-lt-7.5.4.1-48.44.2
  • libreoffice-l10n-cs-7.5.4.1-48.44.2
  • libreoffice-l10n-hr-7.5.4.1-48.44.2
  • libreoffice-l10n-nn-7.5.4.1-48.44.2
  • libreoffice-l10n-de-7.5.4.1-48.44.2
  • libreoffice-l10n-ru-7.5.4.1-48.44.2
  • libreoffice-l10n-fr-7.5.4.1-48.44.2
  • libreoffice-l10n-pt_BR-7.5.4.1-48.44.2
  • libreoffice-icon-themes-7.5.4.1-48.44.2
  • libreoffice-l10n-pt_PT-7.5.4.1-48.44.2
  • libreoffice-l10n-xh-7.5.4.1-48.44.2
  • libreoffice-l10n-es-7.5.4.1-48.44.2
  • libreoffice-l10n-hu-7.5.4.1-48.44.2
  • libreoffice-l10n-ja-7.5.4.1-48.44.2
  • libreoffice-l10n-zh_CN-7.5.4.1-48.44.2
  • libreoffice-l10n-uk-7.5.4.1-48.44.2
  • libreoffice-l10n-en-7.5.4.1-48.44.2
  • libreoffice-l10n-ko-7.5.4.1-48.44.2
  • libreoffice-l10n-ca-7.5.4.1-48.44.2
  • libreoffice-l10n-pl-7.5.4.1-48.44.2
  • libreoffice-l10n-it-7.5.4.1-48.44.2
  • libreoffice-l10n-bg-7.5.4.1-48.44.2
  • libreoffice-l10n-da-7.5.4.1-48.44.2
  • libreoffice-l10n-nl-7.5.4.1-48.44.2
  • libreoffice-l10n-hi-7.5.4.1-48.44.2
  • libreoffice-l10n-fi-7.5.4.1-48.44.2
  • libreoffice-l10n-gu-7.5.4.1-48.44.2
  • libreoffice-l10n-ro-7.5.4.1-48.44.2
  • libreoffice-l10n-sk-7.5.4.1-48.44.2
  • libreoffice-l10n-zh_TW-7.5.4.1-48.44.2
  • libreoffice-l10n-zu-7.5.4.1-48.44.2
  • libreoffice-l10n-ar-7.5.4.1-48.44.2
  • libreoffice-l10n-sv-7.5.4.1-48.44.2
  • libreoffice-l10n-nb-7.5.4.1-48.44.2

References:

• https://www.suse.com/security/cve/CVE-2023-0950.html
• https://www.suse.com/security/cve/CVE-2023-2255.html
• https://bugzilla.suse.com/show_bug.cgi?id=1198666
• https://bugzilla.suse.com/show_bug.cgi?id=1200085
• https://bugzilla.suse.com/show_bug.cgi?id=1204040
• https://bugzilla.suse.com/show_bug.cgi?id=1209242
• https://bugzilla.suse.com/show_bug.cgi?id=1210687
• https://bugzilla.suse.com/show_bug.cgi?id=1211746
• https://jira.suse.com/browse/PED-1785
• https://jira.suse.com/browse/PED-3550
• https://jira.suse.com/browse/PED-3561