While researching the recent Meltdown and Spectre exploit announcement, I happened to stumble on this related to LibreOffice:
LibreOffice < 6.0.1 - ‘=WEBSERVICE’ Remote Arbitrary File Disclosure
Is this related to just running a downloaded document?
All (not only Linux) LO versions <5.4.5/6.0.1 that support WEBSERVICE are affected by the vulnerability. If you measure the term “secure” by this, then yes. I wouldn’t dare to say that LO is secure anyway in any version (just as any software); possibly we just don’t yet know about hidden vulnerability.
By the way, every day we (especially Caolan) fix many things that could possibly become vulnerabilities; fuzzing tests help identify those in advance.
Also noticed this LO alert: “Early availability of LibreOffice 5.4.5 and LibreOffice 6.0.1: all users are invited to update for improved robustness and security”. Thanks Mike.
All (not only Linux) LO versions <5.4.5/6.0.1 that support WEBSERVICE are affected by the vulnerability. If you measure the term “secure” by this, then yes. I wouldn’t dare to say that LO is secure anyway in any version (just as any software); possibly we just don’t yet know about hidden vulnerability.
By the way, every day we (especially Caolan) fix many things that could possibly become vulnerabilities; fuzzing tests help identify those in advance.