Bug 1737427 (CVE-2019-9848) - CVE-2019-9848 libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands
Summary: CVE-2019-9848 libreoffice: LibreLogo script can be manipulated into executing...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9848
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1737428 1743962
Blocks: 1737430
TreeView+ depends on / blocked
 
Reported: 2019-08-05 11:05 UTC by Marian Rehak
Modified: 2020-03-31 22:35 UTC (History)
5 users (show)

Fixed In Version: libreoffice 6.2.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:35:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1151 None None None 2020-03-31 19:28:25 UTC

Description Marian Rehak 2019-08-05 11:05:47 UTC
LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

External References:

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848

Comment 1 Marian Rehak 2019-08-05 11:05:57 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1737428]

Comment 2 Huzaifa S. Sidhpurwala 2019-08-21 05:10:26 UTC
Analysis:

Basically a flaw in librelogo which is a "a programmable turtle vector graphics script" shipped with libreoffice. Document events like mouse click etc can be used to trigger user inserted librelogo scripts. A malicious document could be constructed which would execute arbitrary python commands silently without warning.

The patch basically disallows librelogo scripts to be called from document event handler.

Comment 4 errata-xmlrpc 2020-03-31 19:28:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1151 https://access.redhat.com/errata/RHSA-2020:1151

Comment 5 Product Security DevOps Team 2020-03-31 22:35:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9848


Note You need to log in before you can comment on or make changes to this bug.