CVE-2023-5129 - BBB affected?
78 views
Skip to first unread message
Martin Klampfer
Oct 4, 2023, 3:49:12 AM10/4/23
to BigBlueButton-dev
BBB includes libwebp (via libreoffice), which suffers from the vulnerability CVE-2023-5129 (https://www.helpnetsecurity.com/2023/09/27/cve-2023-5129/). We are hosting BBB 2.6.10 for a client and they asked us if this version is affected by the vulnerability. If this is the case, is there a fix in a newer version or are you planning to create one?
Thanks and kind regards.
Ghazi TRIKI
Oct 4, 2023, 4:05:02 AM10/4/23
to bigblueb...@googlegroups.com
Hello Martin,
That CVE has been rejected because of duplication status, the original one is : https://nvd.nist.gov/vuln/detail/CVE-2023-4863
LIbreoffice has been patched on September 2023 https://9to5linux.com/libreoffice-7-6-2-and-7-5-7-released-to-address-critical-webp-vulnerability
Libreoffice in BBB is a kind of jail and has access to only a necessary amount of computing resources.
More investigation about the current version is needed, but I assume that updating the LibreOffice docker image in BBB should be safe.
@Tiago can you kindly confirm and give more highlights?
Ghazi
Cordialement
Cordialement
Le mer. 4 oct. 2023 à 08:49, Martin Klampfer <klamp...@gmail.com> a écrit :
BBB includes libwebp (via libreoffice), which suffers from the vulnerability CVE-2023-5129 (https://www.helpnetsecurity.com/2023/09/27/cve-2023-5129/). We are hosting BBB 2.6.10 for a client and they asked us if this version is affected by the vulnerability. If this is the case, is there a fix in a newer version or are you planning to create one?Thanks and kind regards.
--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/5f36f6ea-7b9d-4317-8468-f8035b929f43n%40googlegroups.com.
Jean Pluzo
Oct 4, 2023, 7:48:24 AM10/4/23
to BigBlueButton-dev
Hi,
just to add info to @Ghazi's response:
LibreOffice runs in a container, and it runs only when documents are uploaded/converted. This means, the LO container is created only when there's a document that needs conversion. After the conversion has been done, the container is destroyed.
Even if the the current version of LO included in BBB was vulnerable, it will only be "active" for a very short period of time.
However, it would be nice if the developers could confirm/deny this CVE.
Regards,
J.
Reply all
Reply to author
Forward
0 new messages