[ASA-201908-9] libreoffice-still: multiple issues

Jelle van der Waa jelle at archlinux.org
Sat Aug 24 13:36:52 UTC 2019


Arch Linux Security Advisory ASA-201908-9
=========================================

Severity: High
Date    : 2019-08-16
CVE-ID  : CVE-2019-9848 CVE-2019-9849
Package : libreoffice-still
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1010

Summary
=======

The package libreoffice-still before version 6.2.6-1 is vulnerable to
multiple issues including arbitrary command execution and information
disclosure.

Resolution
==========

Upgrade to 6.2.6-1.

# pacman -Syu "libreoffice-still>=6.2.6-1"

The problems have been fixed upstream in version 6.2.6.

Workaround
==========

None.

Description
===========

- CVE-2019-9848 (arbitrary command execution)

An issue has been found in LibreOffice before 6.2.5, where documents
can specify that pre-installed scripts can be executed on various
document events such as mouse-over, etc. LibreOffice is typically also
bundled with LibreLogo, a programmable turtle vector graphics script,
which can be manipulated into executing arbitrary python commands. By
using the document event feature to trigger LibreLogo to execute python
contained within a document a malicious document could be constructed
which would execute arbitrary python commands silently without warning.
In the fixed versions, LibreLogo cannot be called from a document event
handler.

- CVE-2019-9849 (information disclosure)

LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document. A
flaw existed where bullet graphics were omitted from this protection
prior to version 6.2.5.

Impact
======

A remote attacker is able to execute arbitrary commands via a specially
crafted document or disclose bullet graphics from locations which
should be hidden when 'stealth mode' is enabled.

References
==========

https://security.archlinux.org/CVE-2019-9848
https://security.archlinux.org/CVE-2019-9849
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
https://github.com/LibreOffice/core/commit/5d47b7b3f6a134037f1f3d8c018505244d7be484
https://github.com/LibreOffice/core/commit/3dd024a28a98a9d4b4efc3c7ec6acaa94d2b25fd
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
https://security.archlinux.org/CVE-2019-9848
https://security.archlinux.org/CVE-2019-9849
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190824/9ac5b9f3/attachment.sig>


More information about the arch-security mailing list