Summary: | <app-office/openoffice-bin-4.1.7: code execution vuln via python scripts (CVE-2018-16858) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chithanh |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
app-office/openoffice-bin-4.1.7
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 695358 |
Description
Hanno Böck
2019-02-04 13:41:44 UTC
From the linked report: --- Vulnerable: Openoffice: 4.1.6 (latest version) I reconfirmed via email that I am allowed to publish the details of the vulnerability although openoffice is still unpatched. Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system. To disable the support for python the pythonscript.py in the installation folder can be either removed or renamed (example on linux /opt/openoffice4/program/pythonscript.py) --- So it seems that there is a possible mitigation to this bug. (In reply to Hanno Boeck from comment #0) > Maybe this is a good time to say goodbye to openoffice? Why? I see no problem having vulnerable packages in the tree, as long as they are p.masked so unsuspecting users don't install them. (In reply to Chí-Thanh Christopher Nguyễn from comment #1) > From the linked report: > > --- > Vulnerable: > Openoffice: 4.1.6 (latest version) > > I reconfirmed via email that I am allowed to publish the details of the > vulnerability although openoffice is still unpatched. Openoffice does not > allow to pass parameters therefore my PoC does not work but the path > traversal can be abused to execute a python script from another location on > the local file system. > To disable the support for python the pythonscript.py in the installation > folder can be either removed or renamed (example on linux > /opt/openoffice4/program/pythonscript.py) > --- > > So it seems that there is a possible mitigation to this bug. > > (In reply to Hanno Boeck from comment #0) > > Maybe this is a good time to say goodbye to openoffice? > Why? I see no problem having vulnerable packages in the tree, as long as > they are p.masked so unsuspecting users don't install them. So, you want to p.mask this or what? After discussion with upstream at CLT 2019, I think the best way to go forward is to not install the pythonscript.py file. (In reply to Chí-Thanh Christopher Nguyễn from comment #3) > After discussion with upstream at CLT 2019, I think the best way to go > forward is to not install the pythonscript.py file. Ok, so you will revbump and we can stable from there? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=625ae773f5aca1a8a4ec3060712400bae0212f74 commit 625ae773f5aca1a8a4ec3060712400bae0212f74 Author: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> AuthorDate: 2019-10-18 11:55:16 +0000 Commit: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> CommitDate: 2019-10-18 11:55:16 +0000 app-office/openoffice-bin: bump to 4.1.7, address security vulnerability Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248 Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.16 app-office/openoffice-bin/Manifest | 80 +++++++++ .../openoffice-bin/openoffice-bin-4.1.7.ebuild | 193 +++++++++++++++++++++ 2 files changed, 273 insertions(+) Arches, please stabilize app-office/openoffice-bin-4.1.7 amd64 stable x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e2dd43b77d92aefb0df825c6b500468cf7bdcec commit 2e2dd43b77d92aefb0df825c6b500468cf7bdcec Author: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> AuthorDate: 2019-10-24 05:53:22 +0000 Commit: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> CommitDate: 2019-10-24 05:53:22 +0000 app-office/openoffice-bin: remove vulnerable version Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248 Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> app-office/openoffice-bin/Manifest | 80 --------- .../openoffice-bin/openoffice-bin-4.1.6.ebuild | 183 --------------------- 2 files changed, 263 deletions(-) Tree is clean. Arches and Maintainer(s), Thank you for your work. |