Date:
prev next ·
Thread:
first prev next last
CVE-2018-16858: Directory traversal flaw in script execution
tl;dr: Fixed in 6.0.7 and 6.1.3
LibreOffice has a feature where documents can specify that pre-
installed macros can be executed on various document events such as
mouse-over, etc.
Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory
traversal attack where it was possible to craft a document which when
opened by LibreOffice would, when such common document events occur,
execute a python method from a script in any arbitrary file system
location, specified relative to the LibreOffice install location.
Typically LibreOffice is bundled with python, so an attacker has a set
of known scripts at a known relative file system location to work with.
In the 6.1 series, the problem was compounded by an additional feature
which enables specifying in the document arguments to pass to the
python method (Earlier series only allow a method to be called with no
argument). The bundled python happens to include a method which
executes via os.system one of its arguments, providing a simple route
in 6.1 to execute arbitrary commands via such a crafted document.
In the fixed versions, the relative directory flaw is fixed, and access
is restricted to scripts under the share/Scripts/python,
user/Scripts/python sub-directories of the LibreOffice install
Thanks to Alex Inführ for reporting this issue
--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
- [tdf-discuss] security related information, CVE-2018-16858 · Caolán McNamara
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.