CVE-2018-16858: Directory traversal flaw in script execution

tl;dr: Fixed in 6.0.7 and 6.1.3

LibreOffice has a feature where documents can specify that pre-
installed macros can be executed on various document events such as
mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory
traversal attack where it was possible to craft a document which when
opened by LibreOffice would, when such common document events occur,
execute a python method from a script in any arbitrary file system
location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set
of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature
which enables specifying in the document arguments to pass to the
python method (Earlier series only allow a method to be called with no
argument). The bundled python happens to include a method which
executes via os.system one of its arguments, providing a simple route
in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access
is restricted to scripts under the share/Scripts/python,
user/Scripts/python sub-directories of the LibreOffice install

Thanks to Alex Inführ for reporting this issue


-- 
To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Reply via email to