It was found that libreoffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.
A flaw was found in libreoffice. If a document does not contain macros/scripts, but references a pre-installed macro/script execution of those macros/scripts, execution is allowed without warning bypassing normal behavior.
Name: The LibreOffice project
Upstream: Alex Inführ
In versions of libreoffice shipped with Red Hat Enterprise Linux 6 and 7, arbitrary arguements cannot be passed to the scripts/macros, hence meaningful exploitation is difficult.
Created libreoffice tracking bugs for this issue:
Affects: fedora-all [bug 1672002]