two severe security issues were discovered in libreoffice before 6.2.5: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
Whiteboard: (none) => MGA6TOO
Component: RPM Packages => SecurityQA Contact: (none) => security
Summary: new security issues in libreoffice => libreoffice new security issues CVE-2019-9848 and CVE-2019-9849
Assigning to our registered libreoffice maintainer.
Assignee: bugsquad => thierry.vignaudCC: (none) => marja11
Debian and Ubuntu have issued advisories for this on July 16 and 17: https://www.debian.org/security/2019/dsa-4483 https://usn.ubuntu.com/4063-1/
Severity: normal => major
Apparently CVE-2019-9848 was not actually fixed, and LibreLogo should be disabled: https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/
Debian has issued an advisory on August 15, fixing the incomplete fixes: https://www.debian.org/security/2019/dsa-4501
Summary: libreoffice new security issues CVE-2019-9848 and CVE-2019-9849 => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2]
Ubuntu has issued an advisory for this on August 19: https://usn.ubuntu.com/4102-1/
openSUSE has issued an advisory on September 25: https://lists.opensuse.org/opensuse-updates/2019-09/msg00139.html It fixes these, and two new issues: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/ 6.2.7 should have all the fixes.
Summary: libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2] => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245]
Whiteboard: MGA6TOO => (none)CC: (none) => tmb
libreoffice-6.2.8.2-1.mga7 has been uploaded in to core/updates_testing
Depends on: (none) => 25718
Blocks: (none) => 25718Depends on: 25718 => (none)
Advisory: ======================== Updated libreoffice packages fix security vulnerabilities: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler (CVE-2019-9848). LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection (CVE-2019-9849). LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers (CVE-2019-9850). LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers (CVE-2019-9851). LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing (CVE-2019-9852). LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution (CVE-2019-9853). LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step (CVE-2019-9854). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/ ======================== Updated packages in core/updates_testing: ======================== libreoffice-6.2.8.2-1.mga7 libreoffice-filters-6.2.8.2-1.mga7 libreoffice-core-6.2.8.2-1.mga7 libreoffice-pyuno-6.2.8.2-1.mga7 libreoffice-base-6.2.8.2-1.mga7 libreoffice-bsh-6.2.8.2-1.mga7 libreoffice-officebean-6.2.8.2-1.mga7 libreoffice-officebean-common-6.2.8.2-1.mga7 libreoffice-rhino-6.2.8.2-1.mga7 libreoffice-wiki-publisher-6.2.8.2-1.mga7 libreoffice-nlpsolver-6.2.8.2-1.mga7 libreoffice-ogltrans-6.2.8.2-1.mga7 libreoffice-pdfimport-6.2.8.2-1.mga7 libreoffice-opensymbol-fonts-6.2.8.2-1.mga7 libreoffice-writer-6.2.8.2-1.mga7 libreoffice-emailmerge-6.2.8.2-1.mga7 libreoffice-calc-6.2.8.2-1.mga7 libreoffice-draw-6.2.8.2-1.mga7 libreoffice-impress-6.2.8.2-1.mga7 libreoffice-math-6.2.8.2-1.mga7 libreoffice-graphicfilter-6.2.8.2-1.mga7 libreoffice-xsltfilter-6.2.8.2-1.mga7 libreoffice-postgresql-6.2.8.2-1.mga7 libreoffice-ure-6.2.8.2-1.mga7 libreoffice-ure-common-6.2.8.2-1.mga7 libreoffice-sdk-6.2.8.2-1.mga7 libreoffice-sdk-doc-6.2.8.2-1.mga7 libreoffice-glade-6.2.8.2-1.mga7 libreoffice-librelogo-6.2.8.2-1.mga7 libreoffice-data-6.2.8.2-1.mga7 libreoffice-x11-6.2.8.2-1.mga7 libreoffice-gtk3-6.2.8.2-1.mga7 libreoffice-kf5-6.2.8.2-1.mga7 libreofficekit-6.2.8.2-1.mga7 libreofficekit-devel-6.2.8.2-1.mga7 libreoffice-gdb-debug-support-6.2.8.2-1.mga7 libreoffice-langpack-en-6.2.8.2-1.mga7 libreoffice-help-en-6.2.8.2-1.mga7 libreoffice-langpack-af-6.2.8.2-1.mga7 libreoffice-langpack-ar-6.2.8.2-1.mga7 libreoffice-help-ar-6.2.8.2-1.mga7 libreoffice-langpack-as-6.2.8.2-1.mga7 libreoffice-langpack-bg-6.2.8.2-1.mga7 libreoffice-help-bg-6.2.8.2-1.mga7 libreoffice-langpack-bn-6.2.8.2-1.mga7 libreoffice-help-bn-6.2.8.2-1.mga7 libreoffice-langpack-br-6.2.8.2-1.mga7 libreoffice-langpack-ca-6.2.8.2-1.mga7 libreoffice-help-ca-6.2.8.2-1.mga7 libreoffice-langpack-cs-6.2.8.2-1.mga7 libreoffice-help-cs-6.2.8.2-1.mga7 libreoffice-langpack-cy-6.2.8.2-1.mga7 libreoffice-langpack-da-6.2.8.2-1.mga7 libreoffice-help-da-6.2.8.2-1.mga7 libreoffice-langpack-de-6.2.8.2-1.mga7 libreoffice-help-de-6.2.8.2-1.mga7 libreoffice-langpack-dz-6.2.8.2-1.mga7 libreoffice-help-dz-6.2.8.2-1.mga7 libreoffice-langpack-el-6.2.8.2-1.mga7 libreoffice-help-el-6.2.8.2-1.mga7 libreoffice-langpack-eo-6.2.8.2-1.mga7 libreoffice-help-eo-6.2.8.2-1.mga7 libreoffice-langpack-es-6.2.8.2-1.mga7 libreoffice-help-es-6.2.8.2-1.mga7 libreoffice-langpack-et-6.2.8.2-1.mga7 libreoffice-help-et-6.2.8.2-1.mga7 libreoffice-langpack-eu-6.2.8.2-1.mga7 libreoffice-help-eu-6.2.8.2-1.mga7 libreoffice-langpack-fa-6.2.8.2-1.mga7 libreoffice-langpack-fi-6.2.8.2-1.mga7 libreoffice-help-fi-6.2.8.2-1.mga7 libreoffice-langpack-fr-6.2.8.2-1.mga7 libreoffice-help-fr-6.2.8.2-1.mga7 libreoffice-langpack-ga-6.2.8.2-1.mga7 libreoffice-langpack-gl-6.2.8.2-1.mga7 libreoffice-help-gl-6.2.8.2-1.mga7 libreoffice-langpack-gu-6.2.8.2-1.mga7 libreoffice-help-gu-6.2.8.2-1.mga7 libreoffice-langpack-he-6.2.8.2-1.mga7 libreoffice-help-he-6.2.8.2-1.mga7 libreoffice-langpack-hi-6.2.8.2-1.mga7 libreoffice-help-hi-6.2.8.2-1.mga7 libreoffice-langpack-hr-6.2.8.2-1.mga7 libreoffice-help-hr-6.2.8.2-1.mga7 libreoffice-langpack-hu-6.2.8.2-1.mga7 libreoffice-help-hu-6.2.8.2-1.mga7 libreoffice-langpack-id-6.2.8.2-1.mga7 libreoffice-help-id-6.2.8.2-1.mga7 libreoffice-langpack-it-6.2.8.2-1.mga7 libreoffice-help-it-6.2.8.2-1.mga7 libreoffice-langpack-ja-6.2.8.2-1.mga7 libreoffice-help-ja-6.2.8.2-1.mga7 libreoffice-langpack-kk-6.2.8.2-1.mga7 libreoffice-langpack-kn-6.2.8.2-1.mga7 libreoffice-langpack-ko-6.2.8.2-1.mga7 libreoffice-help-ko-6.2.8.2-1.mga7 libreoffice-langpack-lt-6.2.8.2-1.mga7 libreoffice-help-lt-6.2.8.2-1.mga7 libreoffice-langpack-lv-6.2.8.2-1.mga7 libreoffice-help-lv-6.2.8.2-1.mga7 libreoffice-langpack-mai-6.2.8.2-1.mga7 libreoffice-langpack-ml-6.2.8.2-1.mga7 libreoffice-langpack-mr-6.2.8.2-1.mga7 libreoffice-langpack-nb-6.2.8.2-1.mga7 libreoffice-help-nb-6.2.8.2-1.mga7 libreoffice-langpack-nl-6.2.8.2-1.mga7 libreoffice-help-nl-6.2.8.2-1.mga7 libreoffice-langpack-nn-6.2.8.2-1.mga7 libreoffice-help-nn-6.2.8.2-1.mga7 libreoffice-langpack-nr-6.2.8.2-1.mga7 libreoffice-langpack-nso-6.2.8.2-1.mga7 libreoffice-langpack-or-6.2.8.2-1.mga7 libreoffice-langpack-pa-6.2.8.2-1.mga7 libreoffice-langpack-pl-6.2.8.2-1.mga7 libreoffice-help-pl-6.2.8.2-1.mga7 libreoffice-langpack-pt_BR-6.2.8.2-1.mga7 libreoffice-help-pt_BR-6.2.8.2-1.mga7 libreoffice-langpack-pt-6.2.8.2-1.mga7 libreoffice-help-pt-6.2.8.2-1.mga7 libreoffice-langpack-ro-6.2.8.2-1.mga7 libreoffice-help-ro-6.2.8.2-1.mga7 libreoffice-langpack-ru-6.2.8.2-1.mga7 libreoffice-help-ru-6.2.8.2-1.mga7 libreoffice-langpack-si-6.2.8.2-1.mga7 libreoffice-help-si-6.2.8.2-1.mga7 libreoffice-langpack-sk-6.2.8.2-1.mga7 libreoffice-help-sk-6.2.8.2-1.mga7 libreoffice-langpack-sl-6.2.8.2-1.mga7 libreoffice-help-sl-6.2.8.2-1.mga7 libreoffice-langpack-sr-6.2.8.2-1.mga7 libreoffice-langpack-ss-6.2.8.2-1.mga7 libreoffice-langpack-st-6.2.8.2-1.mga7 libreoffice-langpack-sv-6.2.8.2-1.mga7 libreoffice-help-sv-6.2.8.2-1.mga7 libreoffice-langpack-ta-6.2.8.2-1.mga7 libreoffice-help-ta-6.2.8.2-1.mga7 libreoffice-langpack-te-6.2.8.2-1.mga7 libreoffice-langpack-th-6.2.8.2-1.mga7 libreoffice-langpack-tn-6.2.8.2-1.mga7 libreoffice-langpack-tr-6.2.8.2-1.mga7 libreoffice-help-tr-6.2.8.2-1.mga7 libreoffice-langpack-ts-6.2.8.2-1.mga7 libreoffice-langpack-uk-6.2.8.2-1.mga7 libreoffice-help-uk-6.2.8.2-1.mga7 libreoffice-langpack-ve-6.2.8.2-1.mga7 libreoffice-langpack-xh-6.2.8.2-1.mga7 libreoffice-langpack-zh_CN-6.2.8.2-1.mga7 libreoffice-help-zh_CN-6.2.8.2-1.mga7 libreoffice-langpack-zh_TW-6.2.8.2-1.mga7 libreoffice-help-zh_TW-6.2.8.2-1.mga7 libreoffice-langpack-zu-6.2.8.2-1.mga7 autocorr-en-6.2.8.2-1.mga7 autocorr-af-6.2.8.2-1.mga7 autocorr-bg-6.2.8.2-1.mga7 autocorr-ca-6.2.8.2-1.mga7 autocorr-cs-6.2.8.2-1.mga7 autocorr-da-6.2.8.2-1.mga7 autocorr-de-6.2.8.2-1.mga7 autocorr-dsb-6.2.8.2-1.mga7 autocorr-el-6.2.8.2-1.mga7 autocorr-es-6.2.8.2-1.mga7 autocorr-fa-6.2.8.2-1.mga7 autocorr-fi-6.2.8.2-1.mga7 autocorr-fr-6.2.8.2-1.mga7 autocorr-ga-6.2.8.2-1.mga7 autocorr-hr-6.2.8.2-1.mga7 autocorr-hsb-6.2.8.2-1.mga7 autocorr-hu-6.2.8.2-1.mga7 autocorr-is-6.2.8.2-1.mga7 autocorr-it-6.2.8.2-1.mga7 autocorr-ja-6.2.8.2-1.mga7 autocorr-ko-6.2.8.2-1.mga7 autocorr-lb-6.2.8.2-1.mga7 autocorr-lt-6.2.8.2-1.mga7 autocorr-mn-6.2.8.2-1.mga7 autocorr-nl-6.2.8.2-1.mga7 autocorr-pl-6.2.8.2-1.mga7 autocorr-pt-6.2.8.2-1.mga7 autocorr-ro-6.2.8.2-1.mga7 autocorr-ru-6.2.8.2-1.mga7 autocorr-sk-6.2.8.2-1.mga7 autocorr-sl-6.2.8.2-1.mga7 autocorr-sr-6.2.8.2-1.mga7 autocorr-sv-6.2.8.2-1.mga7 autocorr-tr-6.2.8.2-1.mga7 autocorr-vi-6.2.8.2-1.mga7 autocorr-zh-6.2.8.2-1.mga7 from libreoffice-6.2.8.2-1.mga7.src.rpm
Summary: libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245] => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234]CC: (none) => thierry.vignaudAssignee: thierry.vignaud => qa-bugs
We already had one successful test: https://bugs.mageia.org/show_bug.cgi?id=25718#c8
CC: (none) => joselp
$ uname -a Linux localhost 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 23:07:33 UTC 2019 i686 i686 i386 GNU/Linux Plasma 32-bit on VirtualBox The following 35 packages are going to be installed: - bsf-2.4.0-28.mga7.noarch - bsh-2.0-13.b6.1.mga7.noarch - firebird-3.0.4.33054-6.mga7.i586 - firebird-utils-3.0.4.33054-6.mga7.i586 - hawtjni-runtime-1.16-2.mga7.noarch - jansi-1.17.1-1.mga7.noarch - jansi-native-1.7-3.mga7.i586 - jline-2.14.6-2.mga7.noarch - libfbclient2-3.0.4.33054-6.mga7.i586 - libib-util-3.0.4.33054-6.mga7.i586 - libreoffice-6.2.8.2-1.mga7.i586 - libreoffice-base-6.2.8.2-1.mga7.i586 - libreoffice-bsh-6.2.8.2-1.mga7.i586 - libreoffice-calc-6.2.8.2-1.mga7.i586 - libreoffice-core-6.2.8.2-1.mga7.i586 - libreoffice-data-6.2.8.2-1.mga7.noarch - libreoffice-draw-6.2.8.2-1.mga7.i586 - libreoffice-emailmerge-6.2.8.2-1.mga7.i586 - libreoffice-filters-6.2.8.2-1.mga7.i586 - libreoffice-graphicfilter-6.2.8.2-1.mga7.i586 - libreoffice-gtk3-6.2.8.2-1.mga7.i586 - libreoffice-help-en-6.2.8.2-1.mga7.i586 - libreoffice-impress-6.2.8.2-1.mga7.i586 - libreoffice-kf5-6.2.8.2-1.mga7.i586 - libreoffice-langpack-en-6.2.8.2-1.mga7.i586 - libreoffice-math-6.2.8.2-1.mga7.i586 - libreoffice-opensymbol-fonts-6.2.8.2-1.mga7.noarch - libreoffice-pdfimport-6.2.8.2-1.mga7.i586 - libreoffice-pyuno-6.2.8.2-1.mga7.i586 - libreoffice-ure-6.2.8.2-1.mga7.i586 - libreoffice-ure-common-6.2.8.2-1.mga7.noarch - libreoffice-writer-6.2.8.2-1.mga7.i586 - libreoffice-x11-6.2.8.2-1.mga7.i586 - libreoffice-xsltfilter-6.2.8.2-1.mga7.i586 - libtommath1-1.1.0-1.mga7.i586 22MB of additional disk space will be used. -- -- --- $ libreoffice --version LibreOffice 6.2.8.2 20(Build:2) ------- Edited a local file in writer, a couple of remote files Created a spreadsheet - that works Impress - created a slide deck and saved it Draw - created a masterpiece and saved it works for me
CC: (none) => brtians1
I love using qarepo on updates like this, with long lists of packages. Updated on a 64-bit Plasma system. Loaded and edited several documents and spreadsheets, including a couple of old Word documents. Changed formulas in calc, changed fonts, added italics. Everything looks good. Giving it the 64-bit OK from my test and the "other" successful test. Giving it the 32-bit Ok because of Brian's test. Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-32-OK, MGA7-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0340.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED