On 7/31/19 10:14 PM, Ken Moffat via blfs-dev wrote:
I was going to raise a ticket for this, but I can't see how to
compile libreoffice without the errant item.
Apparently, someone thought that including a 'Logo' toolbar for
turtle graphics to invoke interactive Python would be a good idea.
CVE-2019-9848 and -9849 were supposedly fixed in 6.2.5 (pwned by
opening a crafted document), but there are reports that
CVE-2019-9848 is not fixed :
https://thehackernews.com/2019/07/libreoffice-vulnerability.html :
Discovered by Nils Emmerich, the flaw could allow an attacker to
craft a malicious document that can silently execute arbitrary
python commands without displaying any warning to a targeted user.
"The big problem here is that the code is not translated well and
just supplying python code as the script code often results in the
same code after translation," Emmerich said.
"Using forms and OnFocus event, it is even possible to get code
execution when the document is opened, without the need for a
mouse-over event."
There is a link to a (windows) PoC at
https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/
which appears to require an existing macro called 'Run' to invoke
LibreLogo. But I know nothing about LO macros and have not managed
to get anything like this working (on 6.2.3.2 which is definitely
listed as vulnerable - but I spent no more than 2 minutes on it!).
It looks as if the toolbar comes from
/usr/lib/libreoffice/share/registry/librelogo.xcd - removing that
and using View - Toolbars in Writer removes the Logo toolbar from
the list of available toolbars. But since I can't run the PoC I
don't know if that is a sufficient solution.
At the moment I have not managed to find any configure option to
disable this. In binary installs on windows it can be deselected,
and apparently debian (older version) makes this a separate package
- but that is probably a packaging decision.
Hmm, possible salvation for me, but not for the BLFS build:
In the comments at the register,
https://forums.theregister.co.uk/forum/all/2019/07/30/libreoffice_macro_vulnerability/
'John Brown (no body)' suggested that a port (possibly on 'buntu
or mint) has Java support turned off by default, so no macros, XML
filters or DB connections. If true, I'm safe (I add--without-java)
but the BLFS build isn't.
Here's another reference (no twitter account required to view):
https://twitter.com/insertScript/status/1154651214543511558
There might be a way that we can disable Macro support in general for
6.2.5, but I'm not certain at the moment. If I have some spare cycles
that aren't consumed with JDK, I'll take a look.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
