Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728964 (CVE-2020-12802, CVE-2020-12803)

Summary: <app-office/libreoffice{,-bin}-6.4.5.2: Multiple vulnerabilities (CVE-2020-{12802,12803})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mattst88
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=735824
https://bugs.gentoo.org/show_bug.cgi?id=736904
Whiteboard: B4 [noglsa cve]
Package list:
app-text/libnumbertext-1.0.6 app-text/libwps-0.4.12 app-office/libreoffice-6.4.6.2-r2 amd64 x86 app-office/libreoffice-l10n-6.4.6.2 amd64 x86 app-office/libreoffice-bin-6.4.6.2-r2 amd64 x86 app-office/libreoffice-bin-debug-6.4.6.2-r2 amd64 x86
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 00:44:28 UTC
* CVE-2020-12802

Description:
"LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4."

Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2020-12802/

* CVE-2020-12803

Description:
"ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted without the need for macros or other active scripting

Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form, but to avoid the possibility of malicious documents engineered to maximize the possibility of inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files."

Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2020-12803/
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 00:45:34 UTC
@maintainer(s), -bin needs bump to 6.4.4.x, and then we need to stable both.
Comment 2 Andreas Sturmlechner gentoo-dev 2020-06-21 08:45:25 UTC
I think we will use this to stabilise upcoming 6.4.5.2 (scheduled in near future).
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-23 14:48:43 UTC
(In reply to Andreas Sturmlechner from comment #2)
> I think we will use this to stabilise upcoming 6.4.5.2 (scheduled in near
> future).

ping
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-21 10:02:01 UTC
ping
Comment 5 Matt Turner gentoo-dev 2020-08-23 17:59:58 UTC
Did you mean to add CC-ARCHES here? You suggested handling this bug at the same time as bug 735824 but you only added CC-ARCHES to one.

ALSO: PLEASE STOP DOING THESE STABILIZATIONS IN SEPARATE BUGS
Comment 6 Andreas Sturmlechner gentoo-dev 2020-08-23 18:02:16 UTC
No, libreoffice-bin was not ready and I was not going to wait forever.

No need for capitals at all.
Comment 7 Matt Turner gentoo-dev 2020-08-23 18:11:32 UTC
This is super frustrating and this is not the first time this has happened.

What did we gain by stabilizing poppler a few days ahead of libreoffice?
Comment 8 Andreas Sturmlechner gentoo-dev 2020-08-23 18:14:08 UTC
I don't know how many more days it will take but we can wait a few weeks more if you insist. Frankly, I don't think building LO is a massive problem these days and IUSE="pdfimport" is not enabled by default.
Comment 9 NATTkA bot gentoo-dev 2020-09-08 18:13:02 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2020-09-08 18:17:58 UTC Comment hidden (obsolete)
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2020-09-12 23:09:10 UTC
Sorry about the long delay. libreoffice-bin bumped.
Comment 12 NATTkA bot gentoo-dev 2020-09-12 23:13:16 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2020-09-13 11:17:56 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2020-09-13 13:12:55 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2020-09-20 19:17:43 UTC Comment hidden (obsolete)
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2020-09-26 10:55:20 UTC
Need -r2 to fix the blocker. Please wait for -bin ...
Comment 17 NATTkA bot gentoo-dev 2020-09-26 10:57:55 UTC Comment hidden (obsolete)
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-29 19:10:07 UTC
arm64 done
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-04 00:31:58 UTC
amd64 done
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-18 15:12:20 UTC
x86 stable
Comment 21 Larry the Git Cow gentoo-dev 2020-10-18 15:47:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d4acccad2600018982de94c0bc1acd20a83a224

commit 0d4acccad2600018982de94c0bc1acd20a83a224
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-18 15:33:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-18 15:44:15 +0000

    app-office/libreoffice-bin-debug: Cleanup vulnerable 6.4.3.2
    
    Bug: https://bugs.gentoo.org/728964
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice-bin-debug/Manifest          | 12 ---
 .../libreoffice-bin-debug-6.4.3.2.ebuild           | 87 ----------------------
 2 files changed, 99 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5e24dd6faf950f372c48e7fc5d23ea5f1cae24e

commit b5e24dd6faf950f372c48e7fc5d23ea5f1cae24e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-18 15:33:23 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-18 15:44:15 +0000

    app-office/libreoffice-bin: Cleanup vulnerable 6.4.3.2
    
    Bug: https://bugs.gentoo.org/728964
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice-bin/Manifest                |  12 -
 .../libreoffice-bin/libreoffice-bin-6.4.3.2.ebuild | 252 ---------------------
 2 files changed, 264 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e01a518767238c5bb27c09d9c9022e8439f0f329

commit e01a518767238c5bb27c09d9c9022e8439f0f329
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-18 15:33:10 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-18 15:44:14 +0000

    app-office/libreoffice-l10n: Cleanup vulnerable 6.4.3.2
    
    Bug: https://bugs.gentoo.org/728964
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice-l10n/Manifest               | 168 ---------------------
 .../libreoffice-l10n-6.4.3.2.ebuild                |  91 -----------
 2 files changed, 259 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29dba40a563b54381db7114c75187ebcae326272

commit 29dba40a563b54381db7114c75187ebcae326272
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-18 15:33:04 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-18 15:44:14 +0000

    app-office/libreoffice: Cleanup vulnerable 6.4.3.2
    
    Bug: https://bugs.gentoo.org/728964
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-office/libreoffice/Manifest                   |   2 -
 app-office/libreoffice/libreoffice-6.4.3.2.ebuild | 551 ----------------------
 2 files changed, 553 deletions(-)
Comment 22 Andreas K. Hüttel archtester gentoo-dev 2020-12-10 19:01:23 UTC
Nothing to do for @office here anymore
Comment 23 NATTkA bot gentoo-dev 2020-12-12 22:01:51 UTC
Unable to check for sanity:

> no match for package: app-office/libreoffice-6.4.6.2-r2