Bug 25154 - libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234]
Summary: libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-32-OK, MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25718
  Show dependency treegraph
 
Reported: 2019-07-20 00:48 CEST by Marc Krämer
Modified: 2019-11-30 14:07 CET (History)
7 users (show)

See Also:
Source RPM: libreoffice-6.2.3.2-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2019-07-20 00:48:11 CEST 
two severe security issues were discovered in libreoffice before 6.2.5:
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
Marc Krämer 2019-07-20 00:48:53 CEST

Whiteboard: (none) => MGA6TOO

Jani Välimaa 2019-07-20 15:22:47 CEST

Component: RPM Packages => Security
QA Contact: (none) => security

David Walser 2019-07-20 15:54:41 CEST

Summary: new security issues in libreoffice => libreoffice new security issues CVE-2019-9848 and CVE-2019-9849

Comment 1 Marja Van Waes 2019-07-21 19:59:54 CEST 
Assigning to our registered libreoffice maintainer.

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11

Comment 2 David Walser 2019-08-12 00:38:12 CEST 
Debian and Ubuntu have issued advisories for this on July 16 and 17:
https://www.debian.org/security/2019/dsa-4483
https://usn.ubuntu.com/4063-1/

Severity: normal => major

Comment 3 David Walser 2019-08-13 00:52:38 CEST 
Apparently CVE-2019-9848 was not actually fixed, and LibreLogo should be disabled:
https://www.theregister.co.uk/2019/07/30/libreoffice_macro_vulnerability/
Comment 4 David Walser 2019-08-16 20:18:28 CEST 
Debian has issued an advisory on August 15, fixing the incomplete fixes:
https://www.debian.org/security/2019/dsa-4501

Summary: libreoffice new security issues CVE-2019-9848 and CVE-2019-9849 => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2]

Comment 5 David Walser 2019-08-28 22:25:32 CEST 
Ubuntu has issued an advisory for this on August 19:
https://usn.ubuntu.com/4102-1/
Comment 6 David Walser 2019-11-26 22:02:12 CET 
openSUSE has issued an advisory on September 25:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00139.html

It fixes these, and two new issues:
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/

6.2.7 should have all the fixes.

Summary: libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[0-2] => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245]

Thomas Backlund 2019-11-26 22:07:16 CET

Whiteboard: MGA6TOO => (none)
CC: (none) => tmb

Comment 7 Thierry Vignaud 2019-11-27 12:39:56 CET 
libreoffice-6.2.8.2-1.mga7 has been uploaded in to core/updates_testing

Depends on: (none) => 25718

David Walser 2019-11-27 18:52:05 CET

Blocks: (none) => 25718
Depends on: 25718 => (none)

Comment 8 David Walser 2019-11-27 19:05:22 CET 
Advisory:
========================

Updated libreoffice packages fix security vulnerabilities:

LibreOffice has a feature where documents can specify that pre-installed
scripts can be executed on various document events such as mouse-over, etc.
LibreOffice is typically also bundled with LibreLogo, a programmable turtle
vector graphics script, which can be manipulated into executing arbitrary
python commands. By using the document event feature to trigger LibreLogo to
execute python contained within a document a malicious document could be
constructed which would execute arbitrary python commands silently without
warning. In the fixed versions, LibreLogo cannot be called from a document
event handler (CVE-2019-9848).

LibreOffice has a 'stealth mode' in which only documents from locations deemed
'trusted' are allowed to retrieve remote resources. This mode is not the
default mode, but can be enabled by users who want to disable LibreOffice's
ability to include remote resources within a document. A flaw existed where
bullet graphics were omitted from this protection (CVE-2019-9849).

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector
graphics script, which can execute arbitrary python commands contained with
the document it is launched from. LibreOffice also has a feature where
documents can specify that pre-installed scripts can be executed on various
document script events such as mouse-over, etc. Protection was added, to
address CVE-2019-9848, to block calling LibreLogo from script event handers.
However an insufficient url validation vulnerability in LibreOffice allowed
malicious to bypass that protection and again trigger calling LibreLogo from
script event handlers (CVE-2019-9850).

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector
graphics script, which can execute arbitrary python commands contained with
the document it is launched from. Protection was added, to address
CVE-2019-9848, to block calling LibreLogo from document event script handers,
e.g. mouse over. However LibreOffice also has a separate feature where
documents can specify that pre-installed scripts can be executed on various
global script events such as document-open, etc. In the fixed versions, global
script event handlers are validated equivalently to document script event
handlers (CVE-2019-9851).

LibreOffice has a feature where documents can specify that pre-installed
macros can be executed on various script events such as mouse-over,
document-open etc. Access is intended to be restricted to scripts under the
share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice
install. Protection was added, to address CVE-2018-16858, to avoid a directory
traversal attack where scripts in arbitrary locations on the file system could
be executed. However this new protection could be bypassed by a URL encoding
attack. In the fixed versions, the parsed url describing the script location
is correctly encoded before further processing (CVE-2019-9852).

LibreOffice documents can contain macros. The execution of those macros is
controlled by the document security settings, typically execution of macros
are blocked by default. A URL decoding flaw existed in how the urls to the
macros within the document were processed and categorized, resulting in the
possibility to construct a document where macro execution bypassed the
security settings. The documents were correctly detected as containing macros,
and prompted the user to their existence within the documents, but macros
within the document were subsequently not controlled by the security settings
allowing arbitrary macro execution (CVE-2019-9853).

LibreOffice has a feature where documents can specify that pre-installed
macros can be executed on various script events such as mouse-over,
document-open etc. Access is intended to be restricted to scripts under the
share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice
install. Protection was added, to address CVE-2019-9852, to avoid a directory
traversal attack where scripts in arbitrary locations on the file system could
be executed by employing a URL encoding attack to defeat the path verification
step. However this protection could be bypassed by taking advantage of a flaw
in how LibreOffice assembled the final script URL location directly from
components of the passed in path as opposed to solely from the sanitized
output of the path verification step (CVE-2019-9854).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/
========================

Updated packages in core/updates_testing:
========================
libreoffice-6.2.8.2-1.mga7
libreoffice-filters-6.2.8.2-1.mga7
libreoffice-core-6.2.8.2-1.mga7
libreoffice-pyuno-6.2.8.2-1.mga7
libreoffice-base-6.2.8.2-1.mga7
libreoffice-bsh-6.2.8.2-1.mga7
libreoffice-officebean-6.2.8.2-1.mga7
libreoffice-officebean-common-6.2.8.2-1.mga7
libreoffice-rhino-6.2.8.2-1.mga7
libreoffice-wiki-publisher-6.2.8.2-1.mga7
libreoffice-nlpsolver-6.2.8.2-1.mga7
libreoffice-ogltrans-6.2.8.2-1.mga7
libreoffice-pdfimport-6.2.8.2-1.mga7
libreoffice-opensymbol-fonts-6.2.8.2-1.mga7
libreoffice-writer-6.2.8.2-1.mga7
libreoffice-emailmerge-6.2.8.2-1.mga7
libreoffice-calc-6.2.8.2-1.mga7
libreoffice-draw-6.2.8.2-1.mga7
libreoffice-impress-6.2.8.2-1.mga7
libreoffice-math-6.2.8.2-1.mga7
libreoffice-graphicfilter-6.2.8.2-1.mga7
libreoffice-xsltfilter-6.2.8.2-1.mga7
libreoffice-postgresql-6.2.8.2-1.mga7
libreoffice-ure-6.2.8.2-1.mga7
libreoffice-ure-common-6.2.8.2-1.mga7
libreoffice-sdk-6.2.8.2-1.mga7
libreoffice-sdk-doc-6.2.8.2-1.mga7
libreoffice-glade-6.2.8.2-1.mga7
libreoffice-librelogo-6.2.8.2-1.mga7
libreoffice-data-6.2.8.2-1.mga7
libreoffice-x11-6.2.8.2-1.mga7
libreoffice-gtk3-6.2.8.2-1.mga7
libreoffice-kf5-6.2.8.2-1.mga7
libreofficekit-6.2.8.2-1.mga7
libreofficekit-devel-6.2.8.2-1.mga7
libreoffice-gdb-debug-support-6.2.8.2-1.mga7
libreoffice-langpack-en-6.2.8.2-1.mga7
libreoffice-help-en-6.2.8.2-1.mga7
libreoffice-langpack-af-6.2.8.2-1.mga7
libreoffice-langpack-ar-6.2.8.2-1.mga7
libreoffice-help-ar-6.2.8.2-1.mga7
libreoffice-langpack-as-6.2.8.2-1.mga7
libreoffice-langpack-bg-6.2.8.2-1.mga7
libreoffice-help-bg-6.2.8.2-1.mga7
libreoffice-langpack-bn-6.2.8.2-1.mga7
libreoffice-help-bn-6.2.8.2-1.mga7
libreoffice-langpack-br-6.2.8.2-1.mga7
libreoffice-langpack-ca-6.2.8.2-1.mga7
libreoffice-help-ca-6.2.8.2-1.mga7
libreoffice-langpack-cs-6.2.8.2-1.mga7
libreoffice-help-cs-6.2.8.2-1.mga7
libreoffice-langpack-cy-6.2.8.2-1.mga7
libreoffice-langpack-da-6.2.8.2-1.mga7
libreoffice-help-da-6.2.8.2-1.mga7
libreoffice-langpack-de-6.2.8.2-1.mga7
libreoffice-help-de-6.2.8.2-1.mga7
libreoffice-langpack-dz-6.2.8.2-1.mga7
libreoffice-help-dz-6.2.8.2-1.mga7
libreoffice-langpack-el-6.2.8.2-1.mga7
libreoffice-help-el-6.2.8.2-1.mga7
libreoffice-langpack-eo-6.2.8.2-1.mga7
libreoffice-help-eo-6.2.8.2-1.mga7
libreoffice-langpack-es-6.2.8.2-1.mga7
libreoffice-help-es-6.2.8.2-1.mga7
libreoffice-langpack-et-6.2.8.2-1.mga7
libreoffice-help-et-6.2.8.2-1.mga7
libreoffice-langpack-eu-6.2.8.2-1.mga7
libreoffice-help-eu-6.2.8.2-1.mga7
libreoffice-langpack-fa-6.2.8.2-1.mga7
libreoffice-langpack-fi-6.2.8.2-1.mga7
libreoffice-help-fi-6.2.8.2-1.mga7
libreoffice-langpack-fr-6.2.8.2-1.mga7
libreoffice-help-fr-6.2.8.2-1.mga7
libreoffice-langpack-ga-6.2.8.2-1.mga7
libreoffice-langpack-gl-6.2.8.2-1.mga7
libreoffice-help-gl-6.2.8.2-1.mga7
libreoffice-langpack-gu-6.2.8.2-1.mga7
libreoffice-help-gu-6.2.8.2-1.mga7
libreoffice-langpack-he-6.2.8.2-1.mga7
libreoffice-help-he-6.2.8.2-1.mga7
libreoffice-langpack-hi-6.2.8.2-1.mga7
libreoffice-help-hi-6.2.8.2-1.mga7
libreoffice-langpack-hr-6.2.8.2-1.mga7
libreoffice-help-hr-6.2.8.2-1.mga7
libreoffice-langpack-hu-6.2.8.2-1.mga7
libreoffice-help-hu-6.2.8.2-1.mga7
libreoffice-langpack-id-6.2.8.2-1.mga7
libreoffice-help-id-6.2.8.2-1.mga7
libreoffice-langpack-it-6.2.8.2-1.mga7
libreoffice-help-it-6.2.8.2-1.mga7
libreoffice-langpack-ja-6.2.8.2-1.mga7
libreoffice-help-ja-6.2.8.2-1.mga7
libreoffice-langpack-kk-6.2.8.2-1.mga7
libreoffice-langpack-kn-6.2.8.2-1.mga7
libreoffice-langpack-ko-6.2.8.2-1.mga7
libreoffice-help-ko-6.2.8.2-1.mga7
libreoffice-langpack-lt-6.2.8.2-1.mga7
libreoffice-help-lt-6.2.8.2-1.mga7
libreoffice-langpack-lv-6.2.8.2-1.mga7
libreoffice-help-lv-6.2.8.2-1.mga7
libreoffice-langpack-mai-6.2.8.2-1.mga7
libreoffice-langpack-ml-6.2.8.2-1.mga7
libreoffice-langpack-mr-6.2.8.2-1.mga7
libreoffice-langpack-nb-6.2.8.2-1.mga7
libreoffice-help-nb-6.2.8.2-1.mga7
libreoffice-langpack-nl-6.2.8.2-1.mga7
libreoffice-help-nl-6.2.8.2-1.mga7
libreoffice-langpack-nn-6.2.8.2-1.mga7
libreoffice-help-nn-6.2.8.2-1.mga7
libreoffice-langpack-nr-6.2.8.2-1.mga7
libreoffice-langpack-nso-6.2.8.2-1.mga7
libreoffice-langpack-or-6.2.8.2-1.mga7
libreoffice-langpack-pa-6.2.8.2-1.mga7
libreoffice-langpack-pl-6.2.8.2-1.mga7
libreoffice-help-pl-6.2.8.2-1.mga7
libreoffice-langpack-pt_BR-6.2.8.2-1.mga7
libreoffice-help-pt_BR-6.2.8.2-1.mga7
libreoffice-langpack-pt-6.2.8.2-1.mga7
libreoffice-help-pt-6.2.8.2-1.mga7
libreoffice-langpack-ro-6.2.8.2-1.mga7
libreoffice-help-ro-6.2.8.2-1.mga7
libreoffice-langpack-ru-6.2.8.2-1.mga7
libreoffice-help-ru-6.2.8.2-1.mga7
libreoffice-langpack-si-6.2.8.2-1.mga7
libreoffice-help-si-6.2.8.2-1.mga7
libreoffice-langpack-sk-6.2.8.2-1.mga7
libreoffice-help-sk-6.2.8.2-1.mga7
libreoffice-langpack-sl-6.2.8.2-1.mga7
libreoffice-help-sl-6.2.8.2-1.mga7
libreoffice-langpack-sr-6.2.8.2-1.mga7
libreoffice-langpack-ss-6.2.8.2-1.mga7
libreoffice-langpack-st-6.2.8.2-1.mga7
libreoffice-langpack-sv-6.2.8.2-1.mga7
libreoffice-help-sv-6.2.8.2-1.mga7
libreoffice-langpack-ta-6.2.8.2-1.mga7
libreoffice-help-ta-6.2.8.2-1.mga7
libreoffice-langpack-te-6.2.8.2-1.mga7
libreoffice-langpack-th-6.2.8.2-1.mga7
libreoffice-langpack-tn-6.2.8.2-1.mga7
libreoffice-langpack-tr-6.2.8.2-1.mga7
libreoffice-help-tr-6.2.8.2-1.mga7
libreoffice-langpack-ts-6.2.8.2-1.mga7
libreoffice-langpack-uk-6.2.8.2-1.mga7
libreoffice-help-uk-6.2.8.2-1.mga7
libreoffice-langpack-ve-6.2.8.2-1.mga7
libreoffice-langpack-xh-6.2.8.2-1.mga7
libreoffice-langpack-zh_CN-6.2.8.2-1.mga7
libreoffice-help-zh_CN-6.2.8.2-1.mga7
libreoffice-langpack-zh_TW-6.2.8.2-1.mga7
libreoffice-help-zh_TW-6.2.8.2-1.mga7
libreoffice-langpack-zu-6.2.8.2-1.mga7
autocorr-en-6.2.8.2-1.mga7
autocorr-af-6.2.8.2-1.mga7
autocorr-bg-6.2.8.2-1.mga7
autocorr-ca-6.2.8.2-1.mga7
autocorr-cs-6.2.8.2-1.mga7
autocorr-da-6.2.8.2-1.mga7
autocorr-de-6.2.8.2-1.mga7
autocorr-dsb-6.2.8.2-1.mga7
autocorr-el-6.2.8.2-1.mga7
autocorr-es-6.2.8.2-1.mga7
autocorr-fa-6.2.8.2-1.mga7
autocorr-fi-6.2.8.2-1.mga7
autocorr-fr-6.2.8.2-1.mga7
autocorr-ga-6.2.8.2-1.mga7
autocorr-hr-6.2.8.2-1.mga7
autocorr-hsb-6.2.8.2-1.mga7
autocorr-hu-6.2.8.2-1.mga7
autocorr-is-6.2.8.2-1.mga7
autocorr-it-6.2.8.2-1.mga7
autocorr-ja-6.2.8.2-1.mga7
autocorr-ko-6.2.8.2-1.mga7
autocorr-lb-6.2.8.2-1.mga7
autocorr-lt-6.2.8.2-1.mga7
autocorr-mn-6.2.8.2-1.mga7
autocorr-nl-6.2.8.2-1.mga7
autocorr-pl-6.2.8.2-1.mga7
autocorr-pt-6.2.8.2-1.mga7
autocorr-ro-6.2.8.2-1.mga7
autocorr-ru-6.2.8.2-1.mga7
autocorr-sk-6.2.8.2-1.mga7
autocorr-sl-6.2.8.2-1.mga7
autocorr-sr-6.2.8.2-1.mga7
autocorr-sv-6.2.8.2-1.mga7
autocorr-tr-6.2.8.2-1.mga7
autocorr-vi-6.2.8.2-1.mga7
autocorr-zh-6.2.8.2-1.mga7

from libreoffice-6.2.8.2-1.mga7.src.rpm

Summary: libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01245] => libreoffice new security issues CVE-2019-984[89] and CVE-2019-985[01234]
CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 9 David Walser 2019-11-27 19:06:13 CET 
We already had one successful test:
https://bugs.mageia.org/show_bug.cgi?id=25718#c8

CC: (none) => joselp

Comment 10 Brian Rockwell 2019-11-27 21:33:54 CET 
$ uname -a
Linux localhost 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 23:07:33 UTC 2019 i686 i686 i386 GNU/Linux

Plasma 32-bit on VirtualBox

The following 35 packages are going to be installed:

- bsf-2.4.0-28.mga7.noarch
- bsh-2.0-13.b6.1.mga7.noarch
- firebird-3.0.4.33054-6.mga7.i586
- firebird-utils-3.0.4.33054-6.mga7.i586
- hawtjni-runtime-1.16-2.mga7.noarch
- jansi-1.17.1-1.mga7.noarch
- jansi-native-1.7-3.mga7.i586
- jline-2.14.6-2.mga7.noarch
- libfbclient2-3.0.4.33054-6.mga7.i586
- libib-util-3.0.4.33054-6.mga7.i586
- libreoffice-6.2.8.2-1.mga7.i586
- libreoffice-base-6.2.8.2-1.mga7.i586
- libreoffice-bsh-6.2.8.2-1.mga7.i586
- libreoffice-calc-6.2.8.2-1.mga7.i586
- libreoffice-core-6.2.8.2-1.mga7.i586
- libreoffice-data-6.2.8.2-1.mga7.noarch
- libreoffice-draw-6.2.8.2-1.mga7.i586
- libreoffice-emailmerge-6.2.8.2-1.mga7.i586
- libreoffice-filters-6.2.8.2-1.mga7.i586
- libreoffice-graphicfilter-6.2.8.2-1.mga7.i586
- libreoffice-gtk3-6.2.8.2-1.mga7.i586
- libreoffice-help-en-6.2.8.2-1.mga7.i586
- libreoffice-impress-6.2.8.2-1.mga7.i586
- libreoffice-kf5-6.2.8.2-1.mga7.i586
- libreoffice-langpack-en-6.2.8.2-1.mga7.i586
- libreoffice-math-6.2.8.2-1.mga7.i586
- libreoffice-opensymbol-fonts-6.2.8.2-1.mga7.noarch
- libreoffice-pdfimport-6.2.8.2-1.mga7.i586
- libreoffice-pyuno-6.2.8.2-1.mga7.i586
- libreoffice-ure-6.2.8.2-1.mga7.i586
- libreoffice-ure-common-6.2.8.2-1.mga7.noarch
- libreoffice-writer-6.2.8.2-1.mga7.i586
- libreoffice-x11-6.2.8.2-1.mga7.i586
- libreoffice-xsltfilter-6.2.8.2-1.mga7.i586
- libtommath1-1.1.0-1.mga7.i586

22MB of additional disk space will be used.

-- -- ---

$ libreoffice --version
LibreOffice 6.2.8.2 20(Build:2)

-------

Edited a local file in writer, a couple of remote files
Created a spreadsheet - that works
Impress - created a slide deck and saved it
Draw - created a masterpiece and saved it

works for me

CC: (none) => brtians1

Comment 11 Thomas Andrews 2019-11-29 23:21:56 CET 
I love using qarepo on updates like this, with long lists of packages.

Updated on a 64-bit Plasma system. Loaded and edited several documents and spreadsheets, including a couple of old Word documents. Changed formulas in calc, changed fonts, added italics. Everything looks good.

Giving it the 64-bit OK from my test and the "other" successful test. Giving it the 32-bit Ok because of Brian's test. Validating. Advisory in Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-32-OK, MGA7-64-OK

Thomas Backlund 2019-11-30 11:48:25 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2019-11-30 14:07:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0340.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.