I was going to raise a ticket for this, but I can't see how to compile libreoffice without the errant item.
Apparently, someone thought that including a 'Logo' toolbar for turtle graphics to invoke interactive Python would be a good idea. CVE-2019-9848 and -9849 were supposedly fixed in 6.2.5 (pwned by opening a crafted document), but there are reports that CVE-2019-9848 is not fixed : https://thehackernews.com/2019/07/libreoffice-vulnerability.html : Discovered by Nils Emmerich, the flaw could allow an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user. "The big problem here is that the code is not translated well and just supplying python code as the script code often results in the same code after translation," Emmerich said. "Using forms and OnFocus event, it is even possible to get code execution when the document is opened, without the need for a mouse-over event." There is a link to a (windows) PoC at https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/ which appears to require an existing macro called 'Run' to invoke LibreLogo. But I know nothing about LO macros and have not managed to get anything like this working (on 6.2.3.2 which is definitely listed as vulnerable - but I spent no more than 2 minutes on it!). It looks as if the toolbar comes from /usr/lib/libreoffice/share/registry/librelogo.xcd - removing that and using View - Toolbars in Writer removes the Logo toolbar from the list of available toolbars. But since I can't run the PoC I don't know if that is a sufficient solution. At the moment I have not managed to find any configure option to disable this. In binary installs on windows it can be deselected, and apparently debian (older version) makes this a separate package - but that is probably a packaging decision. Hmm, possible salvation for me, but not for the BLFS build: In the comments at the register, https://forums.theregister.co.uk/forum/all/2019/07/30/libreoffice_macro_vulnerability/ 'John Brown (no body)' suggested that a port (possibly on 'buntu or mint) has Java support turned off by default, so no macros, XML filters or DB connections. If true, I'm safe (I add--without-java) but the BLFS build isn't. ĸen -- One pill makes you larger, And one pill makes you small. And the ones that mother gives you, Don't do anything at all. Go ask Alice, When she's ten feet tall. -- Jefferson Airplane, White Rabbit -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
