Date: prev next · Thread: first prev next last
2018 Archives by date, by thread · List index


tl/dr: upgrade to 5.4.5/6.0.1

CVE-2018-1055: Remote arbitrary file disclosure vulnerability via
WEBSERVICE formula

LibreOffice Calc supports a WEBSERVICE function to obtain data by URL.
Vulnerable versions of LibreOffice allow WEBSERVICE to take a local
file URL (e.g file://) which can be used to inject local files into the
spreadsheet without warning the user. Subsequent formulas can operate
on that inserted data and construct a remote URL whose path leaks the
local data to a remote attacker.

In later versions of LibreOffice without this flaw, WEBSERVICE has now
been limited to accessing http and https URLs along with bringing
WEBSERVICE URLs under LibreOffice Calc's link management
infrastructure.

All users are recommended to upgrade to LibreOffice >= 5.4.5 or >=
6.0.1

-- 
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.