Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 695536 (CVE-2019-9854)

Summary: <app-office/libreoffice{,-bin}-{6.2.7.1,6.3.1.2}: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor Flags: nattka: sanity-check-
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9854/
Whiteboard: B3 [noglsa cve]
Package list:
app-office/libreoffice-6.2.8.2 amd64 x86 app-office/libreoffice-l10n-6.2.8.2 amd64 x86 app-office/libreoffice-bin-6.2.8.2 amd64 x86 app-office/libreoffice-bin-debug-6.2.8.2 amd64 x86
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-24 12:17:49 UTC 
CVE-2019-9854 (https://nvd.nist.gov/vuln/detail/CVE-2019-9854):
  LibreOffice has a feature where documents can specify that pre-installed
  macros can be executed on various script events such as mouse-over,
  document-open etc. Access is intended to be restricted to scripts under the
  share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice
  install. Protection was added, to address CVE-2019-9852, to avoid a
  directory traversal attack where scripts in arbitrary locations on the file
  system could be executed by employing a URL encoding attack to defeat the
  path verification step. However this protection could be bypassed by taking
  advantage of a flaw in how LibreOffice assembled the final script URL
  location directly from components of the passed in path as opposed to solely
  from the sanitized output of the path verification step. This issue affects:
  Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions
  prior to 6.3.1.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-24 12:19:28 UTC 
@ maintainer(s): Please call for stabilization!
Comment 2 Andreas Sturmlechner gentoo-dev 2019-10-28 17:54:22 UTC 
*** Bug 698772 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Sturmlechner gentoo-dev 2019-10-29 09:25:23 UTC 
Arches please stabilise.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-31 23:51:24 UTC 
x86 stable
Comment 5 Piotr Karbowski (RETIRED) gentoo-dev 2019-11-01 22:35:14 UTC 
amd64 stable
Comment 6 Larry the Git Cow gentoo-dev 2019-11-02 15:23:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=597e61658604f7c3f3f74eb03d38d5a54d4e4fff

commit 597e61658604f7c3f3f74eb03d38d5a54d4e4fff
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-11-02 14:05:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-11-02 15:22:32 +0000

    app-office/libreoffice: Security cleanup
    
    Bug: https://bugs.gentoo.org/695536
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice/Manifest                   |   2 -
 app-office/libreoffice/libreoffice-6.2.5.2.ebuild | 553 ----------------------
 app-office/libreoffice/metadata.xml               |   1 -
 3 files changed, 556 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e87ca85c89afc4f49fd6027a73b344e5abb244b4

commit e87ca85c89afc4f49fd6027a73b344e5abb244b4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-11-02 13:58:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-11-02 15:22:32 +0000

    app-office/libreoffice-bin: Security cleanup
    
    Bug: https://bugs.gentoo.org/695536
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice-bin/Manifest                |  12 -
 .../libreoffice-bin/libreoffice-bin-6.2.5.2.ebuild | 257 ---------------------
 2 files changed, 269 deletions(-)
Comment 7 Andreas Sturmlechner gentoo-dev 2019-11-07 09:23:07 UTC 
Cleanup done, in case no one noticed, office out.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 19:17:21 UTC 
Tree is clean!
Comment 9 NATTkA bot gentoo-dev 2020-04-06 15:06:17 UTC 
Unable to check for sanity:

> no match for package: app-office/libreoffice-6.2.8.2
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:58:10 UTC 
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].