LibreOffice: Stability, security, and continued development

LibreOffice, the most widely used open-source office productivity suite, has plenty to recommend it: it’s feature-rich, user-friendly, well-documented, reliable, has an active community of developers working on improving it, and it’s free.

LibreOffice security development

The suite includes Writer (word processor), Calc (a spreadsheet app), Impress (a presentation app), Draw (graphics editor), Math (app for creating and editing mathematical formulas), and Base (database management software).

Its development is shephered by The Document Foundation (TDF), a German non-profit organization that, among other things, is invested in the promotion of open document formats and open standards and rejects a closed software development process “where errors can lie hidden and poor quality is accepted”.

The beginning

LibreOffice is based on the source code of OpenOffice, a project that, according to LibreOffice marketing co-lead Italo Vignoli, was marked by questionable decisions around development and quality assurance.

“Older members of the project still remember the controversy over the integration of key patches developed by external contributors, leading to a parallel version springing up to integrate these and other external developments,” he told Help Net Security.

To address the mountain of inherited technical debt, the LibreOffice developers undertook a heavy source code cleanup and refactoring process, which lasted throughout the development of LibreOffice 3.x and 4.x.

“This effort was coupled with the creation of an infrastructure to serve the developers, with the implementation of tools such as Gerrit for code review, Git for continuous integration, a battery of Tinderboxes, Bugzilla for quality assurance, OpenGrok for source code research, Weblate for localization, as well as testing for performance and crash analysis,” he explained.

The result was increased software stability and security, and the ultimate development of a comprehensive software platform for individual productivity on desktop, mobile and the cloud.

LibreOffice development

The desktop version of LibreOffice comes in two “flavors”: Community (for home and small office users) and Enterprise (for institutions and large organizations). Versions of the latter and specialized support are provided by several partner companies.

LibreOffice major releases are announced every six months, usually in February and August.

The latest version (v7.6) of LibreOffice Community was released last week, with some new features and old ones polished.

As TDF pointed out, “after twelve years and five release cycles – code cleaning, code refactoring, polishing the user interface, extending to new hardware and software platforms, and optimizing interoperability with OOXML to support users – it is increasingly difficult to develop entirely new features, so most of them are refinements or improvements of existing ones.”

The project continues working on interoperability, to continue to offer users compatibility with Microsoft Office’s OpenXML document format. (LibreOffice uses the Open Document Format, as specified in the ISO/IEC 26300 standard.)

Vignoli says that most users do not understand that by using Microsoft’s format they are giving up control over their content, because the company can block access to files at any time by introducing a change to the format that is handled only by the latest version of Office.

“In contrast, by choosing LibreOffice’s ISO standard format, users retain control over their own content, since ownership of the format is independent and no software will ever be able to introduce changes with the goal of blocking access to documents.”

Is LibreOffice secure?

The solution is not without bugs and security vulnerabilities but, according to Vignoli, going by the numbers based on the MITRE CVE database, LibreOffice is an order of magnitude better on the vulnerability front than closed source alternatives.

“This is the result of the extremely professional activity of the LibreOffice security team, which has been recognized for its mature vulnerability management practices and the commitment to cybersecurity for software users by being approved as a CVE Numbering Authority,” he says.

The project treats security as an ongoing effort, so when working on a new release, the activity aimed at removing bugs and exploitable vulnerabilities is no more intense than usual.

“All contributions are managed through Gerrit, a patch management system that requires each contribution to be reviewed by a senior developer. Next, Tinderboxes compile LibreOffice for different operating systems, and if the compilation is successful, the patches are integrated into the master source code,” he detailed the process.

“Only at this point does the automated testing phase begin, with the handling of more than 50,000 documents (opening, closing, editing) that is also tasked with analyzing any crashes in the application, and the manual testing phase by the volunteer quality assurance team.”

The activity aimed at avoiding bugs and regressions in the version released to users is continuous: after the announcement of the major release, there are minor releases on a monthly/bimonthly basis that fix the bugs and regressions that escaped the first testing phase.

“Vulnerabilities are handled in a completely different way. In most cases, they are detected with dedicated software by specialized labs, or by using fuzzing methodologies (e.g., the OSS-Fuzz suite provided free of charge by Google to all open-source projects). When a vulnerability report comes in, there is a team of software security experts who take action to verify the presence of the vulnerability and to fix it as quickly as possible. When this happens, a minor release is normally released and users are advised to upgrade immediately,” he added.

Security researchers can report potential vulnerabilities to a dedicated email address (officesecurity@lists.freedesktop.org) and the reports are verified within 48 hours.

If the vulnerability is confirmed, the team’s security experts work on the solution and assigns a number to the vulnerability, which is first communicated under embargo only to security experts to give everyone a chance to fix it (since vulnerabilities often involve software components common to multiple projects, and then entered into a public database 30 days after the date of the solution to be integrated into protection software. (If the reported bug does not represent a vulnerability, it will be worked on in the open as a regular issue.)

In early 2022, the EU sponsored bug bounty programs for several open-source solutions and LibreOffice was among them. While the results were positive, TDF has no plan to start a vulnerability reward program on their own, partly because there is already a large community of volunteers focused on quality assurance.

“Of course, this does not preclude thinking about something similar in the future, although resources are limited to individual user donations and thus are quite small. The situation would be completely different if companies using LibreOffice would invest an amount proportional to that donated by individual users,” he added.

Working on upstream and downstream supply chain security

As a CNA, The Document Foundation strives to provide an accurate description of each vulnerability to make it easier for developers of other open source projects that might be affected by the same problem.

LibreOffice itself integrates many components developed by other projects, so its developers are constantly refactoring libraries based on either new versions or new technologies available in the field.

“Overall, in addition to reducing dependencies and simplifying the code, refactoring has made LibreOffice easier to maintain and much more robust,” Vignoli noted.

“On the downstream side, open-source projects that integrate components developed by The Document Foundation, e.g., import filters for some proprietary formats (such as Microsoft Publisher and Visio, Apple Keynote, etc.), rely on the professionalism of LibreOffice developers. In fact, all libraries are used first by LibreOffice, so development respects the same quality process. The same is true, of course, for software based on the LibreOffice Technology platform, and thus for the mobile and cloud versions of LibreOffice released by companies in the ecosystem, which are then the same ones that contribute to the development of the desktop version.”

The EU Cyber Resilience Act and LibreOffice

The upcoming EU Cyber Resilience Act (CRA) aims to minimize the security risk of using products or software with a digital component, by introducing “mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.”

But the open-source community and various open-source projects have voiced their concern about the impact some of the requirements (and the associated cost and overhead) would have on them.

“The latest version, the one approved by the ITRE Commission in July, which will be discussed during the Trilogue starting in September, imposes the same kind of obligations on nonprofit foundations as commercial open-source projects, in the face of completely different economic potential and organizational characteristics,” Vignoli explained.

“In the case of LibreOffice, in addition to publishing extensive documentation on the development and security process – which is not a problem for content but is a problem for a project where most of the contributions are on a voluntary basis – it would be necessary to guarantee support for each version for 5 years from the date of release. With two major releases and a dozen minor releases per year, this is effectively untenable.”

Add to this the requirement of going through the registration process with the CE mark, which is quite expensive and impossible to manage for all releases, and the unavoidable result would be for LibreOffice to reduce the number of releases.

“This would have a disruptive impact on the development process and all related activities, and on the innovative capacity of the project,” he adds.

The Document Foundation is watching the evolution of the Cyber Resilience Act closely, has participated in most of the open-source community meetings, and has publicly commented on the first draft of the CRA.

“Unfortunately, so far all this has not helped much, because the lobbying activities put forth by proprietary software exponents – who have been loudly supporting the CRA since the first draft – have been more successful. But we have not yet completely given up hope,” Vignoli shared.

Until the requirements imposed by the Cyber Resilience Act are clear, TDF will not be making changes to LibreOffice development activities.

“But it is clear that we will have to change the attitude toward security communication, because many of the problems we will face stem from the fact that the open-source software industry has never communicated sufficiently about security, for fear that communication would be misunderstood (i.e., I talk about security to hide security issues). Unfortunately, poor communication has been interpreted in the complete opposite way, i.e., I don’t talk about security because I don’t deal with it,” he concluded.

Don't miss