LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions before 6.2.5.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
libreoffice libreoffice |
||
canonical ubuntu linux 16.04 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 19.04 |
||
fedoraproject fedora 29 |
||
fedoraproject fedora 30 |
||
debian debian linux 8.0 |
||
opensuse leap 15.0 |
||
opensuse leap 15.1 |
When is a macro not a macro? When it comes with the product, apparently Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't
Interview The Document Foundation, custodian of LibreOffice, has defended the suite's security after attempts to patch a code execution flaw turned out to be "partial". "So far in the story of LibreOffice we have been able to patch all security issues before they reached the end user," a spokesperson told The Reg. "For this last one we have a patch for version 6.2.5 which is unfortunately partial because there are other ways to trigger the vulnerability. This is going to be patched in version 6....
Remove LibreLogo immediately LibreOffice 6.3 hits beta, with built-in redaction tool for sharing those █████ documents
Updated See our note below: LibreOffice version 6.2.5, which was supposed to patch the macro security hole, is still vulnerable, and exploit code is now available. Disable LibreLogo immediately if it is present and enabled in your build of LibreOffice. Our amended article follows. The Document Foundation said on Tuesday that it had recently patched LibreOffice, its open-source office suite, to fix* an issue where documents can be configured to run macros silently on opening. The code execution v...
Remove LibreLogo immediately LibreOffice 6.3 hits beta, with built-in redaction tool for sharing those █████ documents
Updated See our note below: LibreOffice version 6.2.5, which was supposed to patch the macro security hole, is still vulnerable, and exploit code is now available. Disable LibreLogo immediately if it is present and enabled in your build of LibreOffice. Our amended article follows. The Document Foundation said on Tuesday that it had recently patched LibreOffice, its open-source office suite, to fix* an issue where documents can be configured to run macros silently on opening. The code execution v...