td;dr: Upgrade to 6.2.7 or 6.3.1 CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check
Protection was added to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This flaw is fixed in 6.2.7 and 6.3.1 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854 --- CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution When the execution of LibreLogo from scripts was blocked we didn't take into account that, under Windows, file names longer than eight characters can be addressed via a compatibility 8.3 filename which wasn't blocked. Such paths are now rejected in 6.2.7 and 6.3.1 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855 --- Another change in 6.2.7 and 6.3.1 is that now documents that contain a call to a script are treated similarly to those that contain macros. So documents that call a built in shared script in some way will present the same warning dialog as documents that contain macros. Shared built-in scripts are demoted from their trusted position and their execution is controlled under the standard macro execution rules. -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy