Bug 1614165 (CVE-2018-14939)

Summary: CVE-2018-14939 libreoffice: Use of realpath() in desktop/unx/source/start.c:get_app_path() allows for potential buffer overflow
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caolanm, dtardon, erack, sbergman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-10 14:47:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1614167    

Description Sam Fowler 2018-08-09 06:28:36 UTC 
The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath function in certain environments such as FreeBSD libc, which might allow attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site.


Upstream Bug:

https://bugs.documentfoundation.org/show_bug.cgi?id=118514


Affected Code:

https://github.com/LibreOffice/core/blob/master/desktop/unx/source/start.c#L191
Comment 1 Sam Fowler 2018-08-09 06:29:21 UTC 
Related to CVE-2018-11236
Comment 2 Stephan Bergmann 2018-08-09 08:25:59 UTC 
For one, that get_app_path is only called with argv[0] of LO's oosplash helper executable (installed at /usr/lib.../libreoffice/program/oosplash, called during the LO start-up sequence).  So an attack would need launch that executable with a suitably long argv[0].  I don't see how that could happen "if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site." (<https://nvd.nist.gov/vuln/detail/CVE-2018-14939>)

For another, I don't see how that get_app_path uses realpath(3) wrongly.  If there is an issue with the glibc implementation of realpath(3), as CVE-2018-11236 states, then it should be necessary and sufficient to fix the issue in glibc, and not in client code calling realpath(3), or am I missing something?
Comment 3 Adam Mariš 2018-08-10 14:47:53 UTC 
Neither do I see how can this cause buffer overflow on Linux. I also can't think of such attack scenario where a path name to oosplash can be controlled by remote web site.

For CVE-2018-11236, you're right, that's indeed a separate issue in realpath implementation that might get potentially triggered using this code, but that's out of scope of LO and this issue.
Comment 4 Adam Mariš 2018-08-10 14:48:02 UTC 
Statement:

This issue did not affect the versions of libreoffice as shipped with Red Hat Enterprise Linux 5, 6 and 7.