Bug 887416 (CVE-2012-5639)

Summary: CVE-2012-5639 LibreOffice / OpenOffice: automatic opening of embedded external data
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caolanm, dtardon, erack, extras-orphan, fweimer, jgrulich, mstahl, sbergman
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121213,reported=20121213,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,fedora-all/openoffice.org=affected,fedora-all/libreoffice=affected,rhel-5/openoffice.org=affected,rhel-6/openoffice.org=affected,rhel-6/libreoffice=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 09:05:26 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 887419, 887420    
Bug Blocks: 887417    

Description Kurt Seifried 2012-12-14 19:55:31 EST
Timo Warns (Warns@Pre-Sense.DE) reported publicly that OpenOffice and
LibreOffice (as well as other Office Suites) fail to appropriately warn users
when a file with embedded content is opened. Additionally it is not possible
to disable the opening of embedded content within files. This can be used to
add tracking behavior to files or to deliver additional files that can
potentially exploit other security issues when parsed to the user.
Additionally if the file is converted (e.g. to a PDF) and then saved the
converted file may contain a direct copy of the embedded data, thus if
something sensitive if referenced (such as ~/.ssh/id_rsa) this information may
then be exposed if the resulting file is shared.
Comment 1 Kurt Seifried 2012-12-14 20:04:36 EST
Created libreoffice tracking bugs for this issue

Affects: fedora-all [bug 887420]
Comment 2 Kurt Seifried 2012-12-14 20:04:39 EST
Created openoffice.org tracking bugs for this issue

Affects: fedora-all [bug 887419]
Comment 4 Caolan McNamara 2012-12-18 06:35:23 EST
We have various existing security options under tools->options->security->options and tools->options-security->macro security. It's plausible to e.g. extend these options with additional ones like "warn if saving files/creating pdfs if contents of externally linked data will be saved/printed to destination".

It's also plausible to attempt to map/follow the macro security concept of trusted sources and low to very high levels to some additional "only allow data to be automatically fetched from links" at low levels of security. Though IMO the default would probably have to be to allow links to at the very least the local filesystem by default for linked graphics, linked videos, master documents etc.

But its not particularly easy or quick to implement these. Especially if we want to be able to control access to local resources.