Bug 1649841 (CVE-2018-16858)

Summary: CVE-2018-16858 libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caolanm, dtardon, erack, huzaifas, msiddiqu, mthacker, sbergman, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreoffice 6.0.7, libreoffice 6.1.3 Doc Type: If docs needed, set a value
Doc Text:
It was found that libreoffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-08 19:18:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672002, 1672003, 1672004, 1743475    
Bug Blocks: 1649844    

Description Pedro Sampaio 2018-11-14 15:50:45 UTC 
A flaw was found in libreoffice. If a document does not contain macros/scripts, but references a pre-installed macro/script execution of those macros/scripts, execution is allowed without warning bypassing normal behavior.
Comment 1 Huzaifa S. Sidhpurwala 2018-11-21 08:03:05 UTC 
Acknowledgments:

Name: The LibreOffice project
Upstream: Alex Inführ
Comment 2 Huzaifa S. Sidhpurwala 2018-11-21 09:47:44 UTC 
In versions of libreoffice shipped with Red Hat Enterprise Linux 6 and 7, arbitrary arguements cannot be passed to the scripts/macros, hence meaningful exploitation is difficult.
Comment 3 Huzaifa S. Sidhpurwala 2019-02-03 03:35:33 UTC 
External References:

https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/
Comment 4 Huzaifa S. Sidhpurwala 2019-02-03 03:35:51 UTC 
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1672002]
Comment 6 errata-xmlrpc 2019-08-06 12:18:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2130 https://access.redhat.com/errata/RHSA-2019:2130
Comment 7 Product Security DevOps Team 2019-08-08 19:18:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16858
Comment 9 msiddiqu 2019-08-16 17:57:32 UTC 
@Huzaifa ^^