LibreOffice Viewer security vulnerability

Abdominal4467 · December 8, 2022, 3:25pm

Hey people,

Some of you might have seen that F-Droid now shows the following message:

We found a vulnerability with LibreOffice Viewer. We recommend uninstalling this app immediately.

Libre Office Viewer is a built-in /e/ application, and for this reason it can’t be uninstalled through F-Droid directly, but only through the adb shell (if I understand correctly).

Is /e/ aware of this vuln? There are other topics on this forum.complaining about LibreOffice Viewer (last update in 2018, large size, buggy, etc.). Maybe this is the time to remove it from default apps?

AnotherElk · December 8, 2022, 3:53pm

See Releases · e / os / releases · GitLab … This App was removed from /e/OS in version 1.6.

Abdominal4467 · December 8, 2022, 4:31pm

Thanks @AnotherElk. Does that mean that users only have to wait for the /e/ update to remove the offending application? Or do they still have to do so through the shell?

SkewedZeppelin · December 8, 2022, 4:39pm

These were reported by me: Flag many apps with KnownVuln (!11496) · Merge requests · F-Droid / Data · GitLab

The reason for this one is that the F-Droid build of Libreoffice is from 2018 and has ~15 known security issues.

AnotherElk · December 8, 2022, 5:24pm

According to the release notes I would very much assume so, but to really make sure you could ask here if anybody already running /e/OS 1.6 can confirm it’s gone … Feedback for v1.6

Hermano · December 8, 2022, 5:30pm

Just installed 1.6 S stable in my FP4 and Libreoffice has gone.

SkewedZeppelin · December 8, 2022, 5:41pm

In general: apps that are included in the system that are no longer included in a future update will only stay installed if a user ever updated it.

Torrone · December 8, 2022, 8:08pm

The upgrade doesn’t appear on my FP4, haw can I force it?

There is also a security warning for PDF viewer. I couldn’t find anything about this in the changelog

SkewedZeppelin · December 8, 2022, 8:23pm

@Torrone
The /e/OS PDF viewer is forked from gsnathan’s and inherits its ~60 security issues. I’ve mentioned it here a handful of times over the past six months.

See also a 2021 thread touching on these same issues: Concerns and suggestions for system applications (Libre Office, PDF Viewer)

Along with this recent comment from Gaël: My /e/ exit interview - #15 by gael

stanwood · December 8, 2022, 8:43pm

Same here (for me and my wife, both on FP4 1.5.1s), I guess it could take few days until the 1.6 update is released to every body.

Due to some issues with Libreoffice viewer, I already downloaded Collabora Office, which works great!

Torrone · December 8, 2022, 9:08pm

So, what we are supposed to do as users?
Crossing fingers hopping nobody will exploits one of the security flaws?

petefoth · December 9, 2022, 8:01am

Install version 1.6 as soon as it becomes available. LibreOffice Viewer is removed from the build.
IN the mean time, don’t use LibreOffice Viewer

Torrone · December 9, 2022, 9:06am

And for the PDF viewer?
And for the WebView?
And for all other thing that are broken and I don’t know because it’s supposed to be an OS “accessible to everyone”, not only for people who read the whole gitlab to check what is still maintained or not?

marcdw · January 14, 2023, 11:19am

Some may have noticed, new version of LibreOffice Viewer just dropped at F-Droid. Version 7.6.0.0.alpha.
It’s in my client but not yet at the F-Droid site at time of this post.

Update LibreOffice Viewer to 7.6.0.0.alpha0+/d6c54b3d4ee7 (!12380) · Merge requests · F-Droid / Data · GitLab