Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647186 (CVE-2018-6871) - <app-office/libreoffice-5.4.5.1 and <6.0.1.1: Remote arbitrary file disclosure vulnerability via WEBSERVICE formula (CVE-2018-6871)
Summary: <app-office/libreoffice-5.4.5.1 and <6.0.1.1: Remote arbitrary file disclosur...
Status: RESOLVED FIXED
Alias: CVE-2018-6871
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.libreoffice.org/about-us/...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-09 22:59 UTC by Viktor Levin
Modified: 2018-02-20 01:01 UTC (History)
2 users (show)

See Also:
Package list:
app-office/libreoffice-5.4.5.1 app-office/libreoffice-l10n-5.4.5.1 app-office/libreoffice-bin-5.4.5.1 app-office/libreoffice-bin-debug-5.4.5.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jonas Stein gentoo-dev 2018-02-09 23:49:46 UTC 
https://www.libreoffice.org/about-us/security/advisories/cve-2018-1055
writes:

-------8<----------------------------------------------------------------
LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL (e.g file://) which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and construct a remote URL whose path leaks the local data to a remote attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now been limited to accessing http and https URLs along with bringing WEBSERVICE URLs under LibreOffice Calc's link management infrastructure.


All users are recommended to upgrade to LibreOffice >= 5.4.5 or >= 6.0.1

Thanks to Ronnie Goodrich and Andrew Krasichkov for discovering this flaw.
Comment 2 Andreas Sturmlechner gentoo-dev 2018-02-10 12:10:04 UTC 
5.4.5.1 will be our next stable candidate, higher versions currently available in tree are already unaffected.
Comment 3 Andreas Sturmlechner gentoo-dev 2018-02-12 15:52:10 UTC 
*bin is ready, so let's add arches.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-12 21:38:05 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2018-02-16 11:41:27 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Larry the Git Cow gentoo-dev 2018-02-16 11:58:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a883ab4e6e328652f5f15203ef38985966cceab

commit 6a883ab4e6e328652f5f15203ef38985966cceab
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-02-16 11:57:36 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-02-16 11:58:42 +0000

    app-office/libreoffice*: Cleanup vulnerable 5.4.4.2
    
    Bug: https://bugs.gentoo.org/647186
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-office/libreoffice-bin-debug/Manifest          |  12 -
 .../libreoffice-bin-debug-5.4.4.2.ebuild           |  87 ----
 .../libreoffice-bin/libreoffice-bin-5.4.4.2.ebuild | 255 ---------
 .../libreoffice-l10n-5.4.4.2.ebuild                |  88 ----
 app-office/libreoffice/libreoffice-5.4.4.2.ebuild  | 579 ---------------------
 5 files changed, 1021 deletions(-)}
Comment 7 Andreas Sturmlechner gentoo-dev 2018-02-16 18:31:30 UTC 
^ cleanup was done, office out.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-20 00:29:36 UTC 
New GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-02-20 01:01:00 UTC 
This issue was resolved and addressed in
 GLSA 201802-06 at https://security.gentoo.org/glsa/201802-06
by GLSA coordinator Thomas Deutschmann (whissi).