1850226 – (CVE-2020-12802) CVE-2020-12802 libreoffice: 'stealth mode' remote resource restrictions bypass

Bug 1850226 (CVE-2020-12802) - CVE-2020-12802 libreoffice: 'stealth mode' remote resource restrictions bypass

Summary: CVE-2020-12802 libreoffice: 'stealth mode' remote resource restrictions bypass

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-12802
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1850227 1850855 1850856
Blocks:	1850229
TreeView+	depends on / blocked

Reported:	2020-06-23 18:51 UTC by Michael Kaplan
Modified:	2021-02-16 19:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:	libreoffice 6.4.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:26:12 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4628	0	None	None	None	2020-11-04 02:29:41 UTC

Description Michael Kaplan 2020-06-23 18:51:13 UTC

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.

References:

https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802

Comment 1 Michael Kaplan 2020-06-23 18:51:28 UTC

Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1850227]

Comment 3 Huzaifa S. Sidhpurwala 2020-06-25 04:20:54 UTC

External References:

https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802

Comment 5 Product Security DevOps Team 2020-11-04 02:26:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12802

Comment 6 errata-xmlrpc 2020-11-04 02:29:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628

Note You need to log in before you can comment on or make changes to this bug.