Bug 1850226 (CVE-2020-12802) - CVE-2020-12802 libreoffice: 'stealth mode' remote resource restrictions bypass
Summary: CVE-2020-12802 libreoffice: 'stealth mode' remote resource restrictions bypass
Alias: CVE-2020-12802
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1850227 1850855 1850856
Blocks: 1850229
TreeView+ depends on / blocked
Reported: 2020-06-23 18:51 UTC by Michael Kaplan
Modified: 2020-11-04 02:29 UTC (History)
4 users (show)

Fixed In Version: libreoffice 6.4.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-04 02:26:12 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4628 None None None 2020-11-04 02:29:41 UTC

Description Michael Kaplan 2020-06-23 18:51:13 UTC
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.



Comment 1 Michael Kaplan 2020-06-23 18:51:28 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1850227]

Comment 3 Huzaifa S. Sidhpurwala 2020-06-25 04:20:54 UTC
External References:


Comment 5 Product Security DevOps Team 2020-11-04 02:26:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 6 errata-xmlrpc 2020-11-04 02:29:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628

Note You need to log in before you can comment on or make changes to this bug.