Bug 1848346 (CVE-2020-12803)

Summary: CVE-2020-12803 libreoffice: forms allowed to be submitted to any URI could result in local file overwrite
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caolanm, dtardon, erack, sbergman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreoffice 6.4.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:26:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848347, 1848669, 1848670    
Bug Blocks: 1848348    

Description Marian Rehak 2020-06-18 08:11:36 UTC 
Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files.

Upstream Reference:

https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803
Comment 1 Marian Rehak 2020-06-18 08:12:03 UTC 
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1848347]
Comment 2 Todd Cullum 2020-06-18 17:10:24 UTC 
Flaw Summary:
The Open Document Format (ODF) XForms support in LibreOffice allowed users to create W3C XForms[1] style forms and specify as the "form action," a local file with file:///filepathhere as a location to save form data. This allowed for specially crafted forms to be created which could overwrite/destroy local files on the system via social engineering. E.G. attacker creates a form which tricks the user into clicking a button that overwrites some valuable files on the local drive. There is no scope change and exploiting this flaw does require user interaction. Affects versions of LibreOffice before 6.4.4, including those shipped with Red Hat Enterprise Linux 6, 7 and 8. However, Red Hat Enterprise Linux 6 is out of support scope and will not be patched for this flaw.

1. https://wiki.documentfoundation.org/images/1/15/0215WG3-UsingFormsInWriter.pdf pg 25
Comment 4 Todd Cullum 2020-06-18 17:32:21 UTC 
Mitigation:

To mitigate this vulnerability, do not submit forms acquired from untrusted sources. Alternatively, use the LibreOffice XForms document editor to verify the location provided in the  "action" field of the submission section before submitting the form.
Comment 6 Todd Cullum 2020-06-18 18:16:18 UTC 
Upstream patch: https://github.com/LibreOffice/core/commit/28520676c22be8308d303d503238af220d99c2bd
Comment 8 Product Security DevOps Team 2020-11-04 02:26:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12803
Comment 9 errata-xmlrpc 2020-11-04 02:29:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628