Debian: Security Advisory for libreoffice (DSA-4988-1) OID: 1.3.6.1.4.1.25623.1.0.704988 - false positive / wrong detection

apt shows that libreoffice 1:7.0.4-4+deb11u1 containing the fix is already installed on the system, however the two packages complaint by greenbone libreoffice-nlpsolver and libreoffice-wiki-publisher appear to follow a different versioning scheme and/or are wrongly taken into account here.

Vulnerable package: libreoffice-nlpsolver
Installed version:  0.9+LibO7.0.4-4+deb11u1
Fixed version:      1:7.0.4-4+deb11u1

Vulnerable package: libreoffice-wiki-publisher
Installed version:  1.2.0+LibO7.0.4-4+deb11u1
Fixed version:      1:7.0.4-4+deb11u1
# apt-cache policy libreoffice
libreoffice:
  Installiert:           1:7.0.4-4+deb11u1
  Installationskandidat: 1:7.0.4-4+deb11u1
  Versionstabelle:
 *** 1:7.0.4-4+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
# apt-cache policy libreoffice-nlpsolver
libreoffice-nlpsolver:
  Installiert:           0.9+LibO7.0.4-4+deb11u1
  Installationskandidat: 0.9+LibO7.0.4-4+deb11u1
  Versionstabelle:
 *** 0.9+LibO7.0.4-4+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
# apt-cache policy libreoffice-wiki-publisher
libreoffice-wiki-publisher:
  Installiert:           1.2.0+LibO7.0.4-4+deb11u1
  Installationskandidat: 1.2.0+LibO7.0.4-4+deb11u1
  Versionstabelle:
 *** 1.2.0+LibO7.0.4-4+deb11u1 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
# cat /etc/os-release  
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
1 Like

Thanks a lot for your report.

It is known that the version scheme for some libreoffice packages are different and usually these get manually updated (because the old Generator can’t handle this case) accordingly. But in this case this might have been missed, expect an update for the relevant VT in one of the next feed update.

Currently a new Generator for Debian is getting introduced, this will hopefully handle such cases in a better way.

1 Like