MGASA-2019-0340 - Updated libreoffice packages fix security vulnerabilities

Publication date: 30 Nov 2019
URL: https://advisories.mageia.org/MGASA-2019-0340.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-9848,
     CVE-2019-9849,
     CVE-2019-9850,
     CVE-2019-9851,
     CVE-2019-9852,
     CVE-2019-9853,
     CVE-2019-9854

Updated libreoffice packages fix security vulnerabilities:

LibreOffice has a feature where documents can specify that pre-installed
scripts can be executed on various document events such as mouse-over, etc.
LibreOffice is typically also bundled with LibreLogo, a programmable turtle
vector graphics script, which can be manipulated into executing arbitrary
python commands. By using the document event feature to trigger LibreLogo
to execute python contained within a document a malicious document could be
constructed which would execute arbitrary python commands silently without
warning. In the fixed versions, LibreLogo cannot be called from a document
event handler (CVE-2019-9848).

LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document.
A flaw existed where bullet graphics were omitted from this protection
(CVE-2019-9849).

LibreOffice is typically bundled with LibreLogo, a programmable turtle
vector graphics script, which can execute arbitrary python commands
contained with  the document it is launched from. LibreOffice also has a
feature where documents can specify that pre-installed scripts can be
executed on various document script events such as mouse-over, etc.
Protection was added, to address CVE-2019-9848, to block calling LibreLogo
from script event handers. However an insufficient url validation
vulnerability in LibreOffice allowed malicious to bypass that protection
and again trigger calling LibreLogo from script event handlers(CVE-2019-9850).

LibreOffice is typically bundled with LibreLogo, a programmable turtle
vector graphics script, which can execute arbitrary python commands
contained with the document it is launched from. Protection was added, to
address CVE-2019-9848, to block calling LibreLogo from document event
script handers, e.g. mouse over. However LibreOffice also has a separate
feature where documents can specify that pre-installed scripts can be
executed on various global script events such as document-open, etc. In
the fixed versions, global script event handlers are validated equivalently
to document script event handlers (CVE-2019-9851).

LibreOffice has a feature where documents can specify that pre-installed
macros can be executed on various script events such as mouse-over,
document-open etc. Access is intended to be restricted to scripts under the
share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice
install. Protection was added, to address CVE-2018-16858, to avoid a
directory traversal attack where scripts in arbitrary locations on the file
system could be executed. However this new protection could be bypassed by
a URL encoding attack. In the fixed versions, the parsed url describing the
script location is correctly encoded before further processing
(CVE-2019-9852).

LibreOffice documents can contain macros. The execution of those macros is
controlled by the document security settings, typically execution of macros
are blocked by default. A URL decoding flaw existed in how the urls to the
macros within the document were processed and categorized, resulting in the
possibility to construct a document where macro execution bypassed the
security settings. The documents were correctly detected as containing
macros, and prompted the user to their existence within the documents, but
macros within the document were subsequently not controlled by the security
settings allowing arbitrary macro execution (CVE-2019-9853).

LibreOffice has a feature where documents can specify that pre-installed
macros can be executed on various script events such as mouse-over,
document-open etc. Access is intended to be restricted to scripts under the
share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice
install. Protection was added, to address CVE-2019-9852, to avoid a directory
traversal attack where scripts in arbitrary locations on the file system
could be executed by employing a URL encoding attack to defeat the path
verification step. However this protection could be bypassed by taking
advantage of a flaw in how LibreOffice assembled the final script URL
location directly from components of the passed in path as opposed to solely
from the sanitized output of the path verification step (CVE-2019-9854).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25154
- https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848
- https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9849
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9850
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9852
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9853
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854

SRPMS:
- 7/core/libreoffice-6.2.8.2-1.mga7

Mageia 2019-0340: libreoffice security update

Updated libreoffice packages fix security vulnerabilities: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document eve...

Summary

Updated libreoffice packages fix security vulnerabilities:
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler (CVE-2019-9848).
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection (CVE-2019-9849).
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers(CVE-2019-9850).
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers (CVE-2019-9851).
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing (CVE-2019-9852).
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution (CVE-2019-9853).
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step (CVE-2019-9854).

References

- https://bugs.mageia.org/show_bug.cgi?id=25154

- https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848

- https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849

- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850/

- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851/

- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852/

- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/

- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9849

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9850

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9851

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9852

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9853

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9854

Resolution

MGASA-2019-0340 - Updated libreoffice packages fix security vulnerabilities

SRPMS

- 7/core/libreoffice-6.2.8.2-1.mga7

Severity
Publication date: 30 Nov 2019
URL: https://advisories.mageia.org/MGASA-2019-0340.html
Type: security
CVE: CVE-2019-9848, CVE-2019-9849, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852, CVE-2019-9853, CVE-2019-9854

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved