Anyone heard of the bug in NSS3.dll yet? Is there an upgrade in Libre Office yet? Should I be worried? I heard about this via the internet but have not heard of any problems yet. Can anyone verify this.See post - Mozilla patches critical “BigSig” cryptographic bug: Here’s how to track it down and fix it – Naked Security
For builds provided by TDF there will be an interim fast-track release of 7.1.8 and 7.2.4 with an updated fixed NSS.
Update 2021-12-06T14:32+01:00: and released.
I think it has nothing to do with LibreOffice.
It does. LibreOffice uses it for cryptographic certificate handling. The linked article here is misleading, it has nothing to do with GIMP (except that GIMP also uses it). On Windows LibreOffice bundles NSS (Network Security Services) because Windows doesn’t have it. Also the builds provided by TDF for other platforms bundle libraries to be able to run on many systems. Packaged on Unix/Linux distributions usually the libraries provided by the system are used, so nothing to be done there for LibreOffice except keeping the system up-to-date.
@erAck , thanks you for your clarifying words.
security related information, CVE-2021-43527 · Caolán McNamara
So basically the information at LibreOffice 7.2.4 Community and LibreOffice 7.1.8 Community available ahead of schedule to provide an important security fix - The Document Foundation Blog is incomplete, it should have stated that the update is required for Windows users only, is that true?
I am actually using LibreOffice 18.104.22.168 02b2acce88a210515b4a5bb2e46cbfb63fe97d56 in CentOS 7 - downloaded from your site.
What is “strange” is that
- the binary /opt/libreoffice7.2/program/soffice.bin is linked with some custom libnss shared libraries :
$ ldd /opt/libreoffice7.2/program/soffice.bin | grep nss
libnss3.so => /opt/libreoffice7.2/program/libnss3.so (0x00007f7d103ee000)
libnssutil3.so => /opt/libreoffice7.2/program/libnssutil3.so (0x00007f7d06761000)
- when converting a docx file to pdf that includes a signature, it calls /lib64/libnss_files.so.2 but this library belongs to the glibc package
So finally on Linux one should update LibreOffice packages, nss packages or both ?
No, that’s not true. Citing from the CVE mail:
The install sets of LibreOffice as provided by TDF include a bundled
copy of Mozilla’s NSS library.
See also my earlier comment above.
As said, again, the builds provided by TDF bundle the NSS libraries as you could see, so you need to upgrade LibreOffice to get those as well.
Whatever is calling into
/lib64/libnss_files.so.2, those are something different and related to
/etc/nsswitch.conf (files, nis, dns, compat; hence libnss_files, libnss_nis, libnss_dns, libnss_compat).
Whether your system needs upgraded NSS anyway is up to your system…