LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Created libreoffice tracking bugs for this issue:
Affects: fedora-all [bug 1737428]
Basically a flaw in librelogo which is a "a programmable turtle vector graphics script" shipped with libreoffice. Document events like mouse click etc can be used to trigger user inserted librelogo scripts. A malicious document could be constructed which would execute arbitrary python commands silently without warning.
The patch basically disallows librelogo scripts to be called from document event handler.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:1151 https://access.redhat.com/errata/RHSA-2020:1151
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):