LibreOffice Viewer security vulnerability

Hey people,

Some of you might have seen that F-Droid now shows the following message:

We found a vulnerability with LibreOffice Viewer. We recommend uninstalling this app immediately.

Libre Office Viewer is a built-in /e/ application, and for this reason it can’t be uninstalled through F-Droid directly, but only through the adb shell (if I understand correctly).

Is /e/ aware of this vuln? There are other topics on this forum.complaining about LibreOffice Viewer (last update in 2018, large size, buggy, etc.). Maybe this is the time to remove it from default apps?

2 Likes

See Releases · e / os / releases · GitLab … This App was removed from /e/OS in version 1.6.

1 Like

Thanks @AnotherElk. Does that mean that users only have to wait for the /e/ update to remove the offending application? Or do they still have to do so through the shell?

These were reported by me: Flag many apps with KnownVuln (!11496) · Merge requests · F-Droid / Data · GitLab

The reason for this one is that the F-Droid build of Libreoffice is from 2018 and has ~15 known security issues.

1 Like

According to the release notes I would very much assume so, but to really make sure you could ask here if anybody already running /e/OS 1.6 can confirm it’s gone … Feedback for v1.6

1 Like

Just installed 1.6 S stable in my FP4 and Libreoffice has gone.

3 Likes

In general: apps that are included in the system that are no longer included in a future update will only stay installed if a user ever updated it.

2 Likes

The upgrade doesn’t appear on my FP4, haw can I force it?

There is also a security warning for PDF viewer. I couldn’t find anything about this in the changelog

@Torrone
The /e/OS PDF viewer is forked from gsnathan’s and inherits its ~60 security issues. I’ve mentioned it here a handful of times over the past six months.

See also a 2021 thread touching on these same issues: Concerns and suggestions for system applications (Libre Office, PDF Viewer)

Along with this recent comment from Gaël: My /e/ exit interview - #15 by gael

4 Likes

Same here (for me and my wife, both on FP4 1.5.1s), I guess it could take few days until the 1.6 update is released to every body.

Due to some issues with Libreoffice viewer, I already downloaded Collabora Office, which works great!

1 Like

So, what we are supposed to do as users?
Crossing fingers hopping nobody will exploits one of the security flaws?

Install version 1.6 as soon as it becomes available. LibreOffice Viewer is removed from the build.
IN the mean time, don’t use LibreOffice Viewer

And for the PDF viewer?
And for the WebView?
And for all other thing that are broken and I don’t know because it’s supposed to be an OS “accessible to everyone”, not only for people who read the whole gitlab to check what is still maintained or not?

Some may have noticed, new version of LibreOffice Viewer just dropped at F-Droid. Version 7.6.0.0.alpha.
It’s in my client but not yet at the F-Droid site at time of this post.

Update LibreOffice Viewer to 7.6.0.0.alpha0+/d6c54b3d4ee7 (!12380) · Merge requests · F-Droid / Data · GitLab

This topic was automatically closed after 47 hours. New replies are no longer allowed.