Bug 887416 (CVE-2012-5639)
Summary: | CVE-2012-5639 LibreOffice / OpenOffice: automatic opening of embedded external data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | caolanm, dtardon, erack, extras-orphan, fweimer, jgrulich, sbergman |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 21:58:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 887419, 887420 | ||
Bug Blocks: | 887417 |
Description
Kurt Seifried
2012-12-15 00:55:31 UTC
Created libreoffice tracking bugs for this issue Affects: fedora-all [bug 887420] Created openoffice.org tracking bugs for this issue Affects: fedora-all [bug 887419] We have various existing security options under tools->options->security->options and tools->options-security->macro security. It's plausible to e.g. extend these options with additional ones like "warn if saving files/creating pdfs if contents of externally linked data will be saved/printed to destination". It's also plausible to attempt to map/follow the macro security concept of trusted sources and low to very high levels to some additional "only allow data to be automatically fetched from links" at low levels of security. Though IMO the default would probably have to be to allow links to at the very least the local filesystem by default for linked graphics, linked videos, master documents etc. But its not particularly easy or quick to implement these. Especially if we want to be able to control access to local resources. |