| Summary: | libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, joselp, marja11, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-32-OK, MGA7-64-OK | ||
| Source RPM: | libreoffice-6.2.3.2-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 25718 | ||
|
Description
Marc Krämer
2019-07-20 00:48:11 CEST
Marc Krämer
2019-07-20 00:48:53 CEST
Whiteboard:
(none) =>
MGA6TOO
Jani Välimaa
2019-07-20 15:22:47 CEST
Component:
RPM Packages =>
Security
David Walser
2019-07-20 15:54:41 CEST
Summary:
new security issues in libreoffice =>
libreoffice new security issues CVE-2019-9848 and CVE-2019-9849 Assigning to our registered libreoffice maintainer. Assignee:
bugsquad =>
thierry.vignaud Debian and Ubuntu have issued advisories for this on July 16 and 17: https://www.debian.org/security/2019/dsa-4483 https://usn.ubuntu.com/4063-1/ Severity:
normal =>
major Apparently CVE-2019-9848 was not actually fixed, and LibreLogo should be disabled: https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/ Debian has issued an advisory on August 15, fixing the incomplete fixes: https://www.debian.org/security/2019/dsa-4501 Summary:
libreoffice new security issues CVE-2019-9848 and CVE-2019-9849 =>
libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2] Ubuntu has issued an advisory for this on August 19: https://usn.ubuntu.com/4102-1/ openSUSE has issued an advisory on September 25: https://lists.opensuse.org/opensuse-updates/2019-09/msg00139.html It fixes these, and two new issues: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/ 6.2.7 should have all the fixes. Summary:
libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2] =>
libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245]
Thomas Backlund
2019-11-26 22:07:16 CET
Whiteboard:
MGA6TOO =>
(none) libreoffice-6.2.8.2-1.mga7 has been uploaded in to core/updates_testing Depends on:
(none) =>
25718
David Walser
2019-11-27 18:52:05 CET
Blocks:
(none) =>
25718 Advisory: ======================== Updated libreoffice packages fix security vulnerabilities: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler (CVE-2019-9848). LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection (CVE-2019-9849). LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers (CVE-2019-9850). LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers (CVE-2019-9851). LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing (CVE-2019-9852). LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution (CVE-2019-9853). LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step (CVE-2019-9854). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/ ======================== Updated packages in core/updates_testing: ======================== libreoffice-6.2.8.2-1.mga7 libreoffice-filters-6.2.8.2-1.mga7 libreoffice-core-6.2.8.2-1.mga7 libreoffice-pyuno-6.2.8.2-1.mga7 libreoffice-base-6.2.8.2-1.mga7 libreoffice-bsh-6.2.8.2-1.mga7 libreoffice-officebean-6.2.8.2-1.mga7 libreoffice-officebean-common-6.2.8.2-1.mga7 libreoffice-rhino-6.2.8.2-1.mga7 libreoffice-wiki-publisher-6.2.8.2-1.mga7 libreoffice-nlpsolver-6.2.8.2-1.mga7 libreoffice-ogltrans-6.2.8.2-1.mga7 libreoffice-pdfimport-6.2.8.2-1.mga7 libreoffice-opensymbol-fonts-6.2.8.2-1.mga7 libreoffice-writer-6.2.8.2-1.mga7 libreoffice-emailmerge-6.2.8.2-1.mga7 libreoffice-calc-6.2.8.2-1.mga7 libreoffice-draw-6.2.8.2-1.mga7 libreoffice-impress-6.2.8.2-1.mga7 libreoffice-math-6.2.8.2-1.mga7 libreoffice-graphicfilter-6.2.8.2-1.mga7 libreoffice-xsltfilter-6.2.8.2-1.mga7 libreoffice-postgresql-6.2.8.2-1.mga7 libreoffice-ure-6.2.8.2-1.mga7 libreoffice-ure-common-6.2.8.2-1.mga7 libreoffice-sdk-6.2.8.2-1.mga7 libreoffice-sdk-doc-6.2.8.2-1.mga7 libreoffice-glade-6.2.8.2-1.mga7 libreoffice-librelogo-6.2.8.2-1.mga7 libreoffice-data-6.2.8.2-1.mga7 libreoffice-x11-6.2.8.2-1.mga7 libreoffice-gtk3-6.2.8.2-1.mga7 libreoffice-kf5-6.2.8.2-1.mga7 libreofficekit-6.2.8.2-1.mga7 libreofficekit-devel-6.2.8.2-1.mga7 libreoffice-gdb-debug-support-6.2.8.2-1.mga7 libreoffice-langpack-en-6.2.8.2-1.mga7 libreoffice-help-en-6.2.8.2-1.mga7 libreoffice-langpack-af-6.2.8.2-1.mga7 libreoffice-langpack-ar-6.2.8.2-1.mga7 libreoffice-help-ar-6.2.8.2-1.mga7 libreoffice-langpack-as-6.2.8.2-1.mga7 libreoffice-langpack-bg-6.2.8.2-1.mga7 libreoffice-help-bg-6.2.8.2-1.mga7 libreoffice-langpack-bn-6.2.8.2-1.mga7 libreoffice-help-bn-6.2.8.2-1.mga7 libreoffice-langpack-br-6.2.8.2-1.mga7 libreoffice-langpack-ca-6.2.8.2-1.mga7 libreoffice-help-ca-6.2.8.2-1.mga7 libreoffice-langpack-cs-6.2.8.2-1.mga7 libreoffice-help-cs-6.2.8.2-1.mga7 libreoffice-langpack-cy-6.2.8.2-1.mga7 libreoffice-langpack-da-6.2.8.2-1.mga7 libreoffice-help-da-6.2.8.2-1.mga7 libreoffice-langpack-de-6.2.8.2-1.mga7 libreoffice-help-de-6.2.8.2-1.mga7 libreoffice-langpack-dz-6.2.8.2-1.mga7 libreoffice-help-dz-6.2.8.2-1.mga7 libreoffice-langpack-el-6.2.8.2-1.mga7 libreoffice-help-el-6.2.8.2-1.mga7 libreoffice-langpack-eo-6.2.8.2-1.mga7 libreoffice-help-eo-6.2.8.2-1.mga7 libreoffice-langpack-es-6.2.8.2-1.mga7 libreoffice-help-es-6.2.8.2-1.mga7 libreoffice-langpack-et-6.2.8.2-1.mga7 libreoffice-help-et-6.2.8.2-1.mga7 libreoffice-langpack-eu-6.2.8.2-1.mga7 libreoffice-help-eu-6.2.8.2-1.mga7 libreoffice-langpack-fa-6.2.8.2-1.mga7 libreoffice-langpack-fi-6.2.8.2-1.mga7 libreoffice-help-fi-6.2.8.2-1.mga7 libreoffice-langpack-fr-6.2.8.2-1.mga7 libreoffice-help-fr-6.2.8.2-1.mga7 libreoffice-langpack-ga-6.2.8.2-1.mga7 libreoffice-langpack-gl-6.2.8.2-1.mga7 libreoffice-help-gl-6.2.8.2-1.mga7 libreoffice-langpack-gu-6.2.8.2-1.mga7 libreoffice-help-gu-6.2.8.2-1.mga7 libreoffice-langpack-he-6.2.8.2-1.mga7 libreoffice-help-he-6.2.8.2-1.mga7 libreoffice-langpack-hi-6.2.8.2-1.mga7 libreoffice-help-hi-6.2.8.2-1.mga7 libreoffice-langpack-hr-6.2.8.2-1.mga7 libreoffice-help-hr-6.2.8.2-1.mga7 libreoffice-langpack-hu-6.2.8.2-1.mga7 libreoffice-help-hu-6.2.8.2-1.mga7 libreoffice-langpack-id-6.2.8.2-1.mga7 libreoffice-help-id-6.2.8.2-1.mga7 libreoffice-langpack-it-6.2.8.2-1.mga7 libreoffice-help-it-6.2.8.2-1.mga7 libreoffice-langpack-ja-6.2.8.2-1.mga7 libreoffice-help-ja-6.2.8.2-1.mga7 libreoffice-langpack-kk-6.2.8.2-1.mga7 libreoffice-langpack-kn-6.2.8.2-1.mga7 libreoffice-langpack-ko-6.2.8.2-1.mga7 libreoffice-help-ko-6.2.8.2-1.mga7 libreoffice-langpack-lt-6.2.8.2-1.mga7 libreoffice-help-lt-6.2.8.2-1.mga7 libreoffice-langpack-lv-6.2.8.2-1.mga7 libreoffice-help-lv-6.2.8.2-1.mga7 libreoffice-langpack-mai-6.2.8.2-1.mga7 libreoffice-langpack-ml-6.2.8.2-1.mga7 libreoffice-langpack-mr-6.2.8.2-1.mga7 libreoffice-langpack-nb-6.2.8.2-1.mga7 libreoffice-help-nb-6.2.8.2-1.mga7 libreoffice-langpack-nl-6.2.8.2-1.mga7 libreoffice-help-nl-6.2.8.2-1.mga7 libreoffice-langpack-nn-6.2.8.2-1.mga7 libreoffice-help-nn-6.2.8.2-1.mga7 libreoffice-langpack-nr-6.2.8.2-1.mga7 libreoffice-langpack-nso-6.2.8.2-1.mga7 libreoffice-langpack-or-6.2.8.2-1.mga7 libreoffice-langpack-pa-6.2.8.2-1.mga7 libreoffice-langpack-pl-6.2.8.2-1.mga7 libreoffice-help-pl-6.2.8.2-1.mga7 libreoffice-langpack-pt_BR-6.2.8.2-1.mga7 libreoffice-help-pt_BR-6.2.8.2-1.mga7 libreoffice-langpack-pt-6.2.8.2-1.mga7 libreoffice-help-pt-6.2.8.2-1.mga7 libreoffice-langpack-ro-6.2.8.2-1.mga7 libreoffice-help-ro-6.2.8.2-1.mga7 libreoffice-langpack-ru-6.2.8.2-1.mga7 libreoffice-help-ru-6.2.8.2-1.mga7 libreoffice-langpack-si-6.2.8.2-1.mga7 libreoffice-help-si-6.2.8.2-1.mga7 libreoffice-langpack-sk-6.2.8.2-1.mga7 libreoffice-help-sk-6.2.8.2-1.mga7 libreoffice-langpack-sl-6.2.8.2-1.mga7 libreoffice-help-sl-6.2.8.2-1.mga7 libreoffice-langpack-sr-6.2.8.2-1.mga7 libreoffice-langpack-ss-6.2.8.2-1.mga7 libreoffice-langpack-st-6.2.8.2-1.mga7 libreoffice-langpack-sv-6.2.8.2-1.mga7 libreoffice-help-sv-6.2.8.2-1.mga7 libreoffice-langpack-ta-6.2.8.2-1.mga7 libreoffice-help-ta-6.2.8.2-1.mga7 libreoffice-langpack-te-6.2.8.2-1.mga7 libreoffice-langpack-th-6.2.8.2-1.mga7 libreoffice-langpack-tn-6.2.8.2-1.mga7 libreoffice-langpack-tr-6.2.8.2-1.mga7 libreoffice-help-tr-6.2.8.2-1.mga7 libreoffice-langpack-ts-6.2.8.2-1.mga7 libreoffice-langpack-uk-6.2.8.2-1.mga7 libreoffice-help-uk-6.2.8.2-1.mga7 libreoffice-langpack-ve-6.2.8.2-1.mga7 libreoffice-langpack-xh-6.2.8.2-1.mga7 libreoffice-langpack-zh_CN-6.2.8.2-1.mga7 libreoffice-help-zh_CN-6.2.8.2-1.mga7 libreoffice-langpack-zh_TW-6.2.8.2-1.mga7 libreoffice-help-zh_TW-6.2.8.2-1.mga7 libreoffice-langpack-zu-6.2.8.2-1.mga7 autocorr-en-6.2.8.2-1.mga7 autocorr-af-6.2.8.2-1.mga7 autocorr-bg-6.2.8.2-1.mga7 autocorr-ca-6.2.8.2-1.mga7 autocorr-cs-6.2.8.2-1.mga7 autocorr-da-6.2.8.2-1.mga7 autocorr-de-6.2.8.2-1.mga7 autocorr-dsb-6.2.8.2-1.mga7 autocorr-el-6.2.8.2-1.mga7 autocorr-es-6.2.8.2-1.mga7 autocorr-fa-6.2.8.2-1.mga7 autocorr-fi-6.2.8.2-1.mga7 autocorr-fr-6.2.8.2-1.mga7 autocorr-ga-6.2.8.2-1.mga7 autocorr-hr-6.2.8.2-1.mga7 autocorr-hsb-6.2.8.2-1.mga7 autocorr-hu-6.2.8.2-1.mga7 autocorr-is-6.2.8.2-1.mga7 autocorr-it-6.2.8.2-1.mga7 autocorr-ja-6.2.8.2-1.mga7 autocorr-ko-6.2.8.2-1.mga7 autocorr-lb-6.2.8.2-1.mga7 autocorr-lt-6.2.8.2-1.mga7 autocorr-mn-6.2.8.2-1.mga7 autocorr-nl-6.2.8.2-1.mga7 autocorr-pl-6.2.8.2-1.mga7 autocorr-pt-6.2.8.2-1.mga7 autocorr-ro-6.2.8.2-1.mga7 autocorr-ru-6.2.8.2-1.mga7 autocorr-sk-6.2.8.2-1.mga7 autocorr-sl-6.2.8.2-1.mga7 autocorr-sr-6.2.8.2-1.mga7 autocorr-sv-6.2.8.2-1.mga7 autocorr-tr-6.2.8.2-1.mga7 autocorr-vi-6.2.8.2-1.mga7 autocorr-zh-6.2.8.2-1.mga7 from libreoffice-6.2.8.2-1.mga7.src.rpm Summary:
libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245] =>
libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234] We already had one successful test: https://bugs.mageia.org/show_bug.cgi?id=25718#c8 CC:
(none) =>
joselp $ uname -a Linux localhost 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 23:07:33 UTC 2019 i686 i686 i386 GNU/Linux Plasma 32-bit on VirtualBox The following 35 packages are going to be installed: - bsf-2.4.0-28.mga7.noarch - bsh-2.0-13.b6.1.mga7.noarch - firebird-3.0.4.33054-6.mga7.i586 - firebird-utils-3.0.4.33054-6.mga7.i586 - hawtjni-runtime-1.16-2.mga7.noarch - jansi-1.17.1-1.mga7.noarch - jansi-native-1.7-3.mga7.i586 - jline-2.14.6-2.mga7.noarch - libfbclient2-3.0.4.33054-6.mga7.i586 - libib-util-3.0.4.33054-6.mga7.i586 - libreoffice-6.2.8.2-1.mga7.i586 - libreoffice-base-6.2.8.2-1.mga7.i586 - libreoffice-bsh-6.2.8.2-1.mga7.i586 - libreoffice-calc-6.2.8.2-1.mga7.i586 - libreoffice-core-6.2.8.2-1.mga7.i586 - libreoffice-data-6.2.8.2-1.mga7.noarch - libreoffice-draw-6.2.8.2-1.mga7.i586 - libreoffice-emailmerge-6.2.8.2-1.mga7.i586 - libreoffice-filters-6.2.8.2-1.mga7.i586 - libreoffice-graphicfilter-6.2.8.2-1.mga7.i586 - libreoffice-gtk3-6.2.8.2-1.mga7.i586 - libreoffice-help-en-6.2.8.2-1.mga7.i586 - libreoffice-impress-6.2.8.2-1.mga7.i586 - libreoffice-kf5-6.2.8.2-1.mga7.i586 - libreoffice-langpack-en-6.2.8.2-1.mga7.i586 - libreoffice-math-6.2.8.2-1.mga7.i586 - libreoffice-opensymbol-fonts-6.2.8.2-1.mga7.noarch - libreoffice-pdfimport-6.2.8.2-1.mga7.i586 - libreoffice-pyuno-6.2.8.2-1.mga7.i586 - libreoffice-ure-6.2.8.2-1.mga7.i586 - libreoffice-ure-common-6.2.8.2-1.mga7.noarch - libreoffice-writer-6.2.8.2-1.mga7.i586 - libreoffice-x11-6.2.8.2-1.mga7.i586 - libreoffice-xsltfilter-6.2.8.2-1.mga7.i586 - libtommath1-1.1.0-1.mga7.i586 22MB of additional disk space will be used. -- -- --- $ libreoffice --version LibreOffice 6.2.8.2 20(Build:2) ------- Edited a local file in writer, a couple of remote files Created a spreadsheet - that works Impress - created a slide deck and saved it Draw - created a masterpiece and saved it works for me CC:
(none) =>
brtians1 I love using qarepo on updates like this, with long lists of packages. Updated on a 64-bit Plasma system. Loaded and edited several documents and spreadsheets, including a couple of old Word documents. Changed formulas in calc, changed fonts, added italics. Everything looks good. Giving it the 64-bit OK from my test and the "other" successful test. Giving it the 32-bit Ok because of Brian's test. Validating. Advisory in Comment 8. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2019-11-30 11:48:25 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0340.html Resolution:
(none) =>
FIXED |