Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677248 (CVE-2018-16858) - <app-office/openoffice-bin-4.1.7: code execution vuln via python scripts (CVE-2018-16858)
Summary: <app-office/openoffice-bin-4.1.7: code execution vuln via python scripts (CVE...
Status: RESOLVED FIXED
Alias: CVE-2018-16858
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://insert-script.blogspot.com/20...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2019-9853
  Show dependency tree
 
Reported: 2019-02-04 13:41 UTC by Hanno Böck
Modified: 2020-03-20 04:10 UTC (History)
1 user (show)

See Also:
Package list:
app-office/openoffice-bin-4.1.7
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-02-04 13:41:44 UTC
See
https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html

There's a really bad vulnerability, it affects both libre+openoffice, but for libreoffice it's been fixed in november and all versions affected have as far as I can see already left the gentoo tree.

For openoffice it's unfixed as of the current upstream version.

Maybe this is a good time to say goodbye to openoffice?
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-02-05 12:21:15 UTC
From the linked report:

---
Vulnerable:
Openoffice: 4.1.6 (latest version)

I reconfirmed via email that I am allowed to publish the details of the vulnerability although openoffice is still unpatched. Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system.
To disable the support for python the pythonscript.py in the installation folder can be either removed or renamed (example on linux /opt/openoffice4/program/pythonscript.py)
---

So it seems that there is a possible mitigation to this bug.

(In reply to Hanno Boeck from comment #0)
> Maybe this is a good time to say goodbye to openoffice?
Why? I see no problem having vulnerable packages in the tree, as long as they are p.masked so unsuspecting users don't install them.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-29 23:18:14 UTC
(In reply to Chí-Thanh Christopher Nguyễn from comment #1)
> From the linked report:
> 
> ---
> Vulnerable:
> Openoffice: 4.1.6 (latest version)
> 
> I reconfirmed via email that I am allowed to publish the details of the
> vulnerability although openoffice is still unpatched. Openoffice does not
> allow to pass parameters therefore my PoC does not work but the path
> traversal can be abused to execute a python script from another location on
> the local file system.
> To disable the support for python the pythonscript.py in the installation
> folder can be either removed or renamed (example on linux
> /opt/openoffice4/program/pythonscript.py)
> ---
> 
> So it seems that there is a possible mitigation to this bug.
> 
> (In reply to Hanno Boeck from comment #0)
> > Maybe this is a good time to say goodbye to openoffice?
> Why? I see no problem having vulnerable packages in the tree, as long as
> they are p.masked so unsuspecting users don't install them.

So, you want to p.mask this or what?
Comment 3 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-03-29 23:57:21 UTC
After discussion with upstream at CLT 2019, I think the best way to go forward is to not install the pythonscript.py file.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-30 00:02:53 UTC
(In reply to Chí-Thanh Christopher Nguyễn from comment #3)
> After discussion with upstream at CLT 2019, I think the best way to go
> forward is to not install the pythonscript.py file.

Ok, so you will revbump and we can stable from there?
Comment 5 Larry the Git Cow gentoo-dev 2019-10-18 11:55:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=625ae773f5aca1a8a4ec3060712400bae0212f74

commit 625ae773f5aca1a8a4ec3060712400bae0212f74
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2019-10-18 11:55:16 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2019-10-18 11:55:16 +0000

    app-office/openoffice-bin: bump to 4.1.7, address security vulnerability
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358
    Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
    Package-Manager: Portage-2.3.76, Repoman-2.3.16

 app-office/openoffice-bin/Manifest                 |  80 +++++++++
 .../openoffice-bin/openoffice-bin-4.1.7.ebuild     | 193 +++++++++++++++++++++
 2 files changed, 273 insertions(+)
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-10-18 11:57:55 UTC
Arches, please stabilize app-office/openoffice-bin-4.1.7
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-21 12:14:32 UTC
amd64 stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-10-21 12:32:01 UTC
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2019-10-24 05:53:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e2dd43b77d92aefb0df825c6b500468cf7bdcec

commit 2e2dd43b77d92aefb0df825c6b500468cf7bdcec
Author:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
AuthorDate: 2019-10-24 05:53:22 +0000
Commit:     Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
CommitDate: 2019-10-24 05:53:22 +0000

    app-office/openoffice-bin: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=677248
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=695358
    Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org>

 app-office/openoffice-bin/Manifest                 |  80 ---------
 .../openoffice-bin/openoffice-bin-4.1.6.ebuild     | 183 ---------------------
 2 files changed, 263 deletions(-)
Comment 10 Sam James archtester gentoo-dev Security 2020-03-20 00:57:44 UTC
Tree is clean.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2020-03-20 04:10:03 UTC
Arches and Maintainer(s), Thank you for your work.