[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tdf-discuss] security related information, CVE-2018-16858


CVE-2018-16858: Directory traversal flaw in script execution

tl;dr: Fixed in 6.0.7 and 6.1.3

LibreOffice has a feature where documents can specify that pre-
installed macros can be executed on various document events such as
mouse-over, etc.

Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory
traversal attack where it was possible to craft a document which when
opened by LibreOffice would, when such common document events occur,
execute a python method from a script in any arbitrary file system
location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set
of known scripts at a known relative file system location to work with.

In the 6.1 series, the problem was compounded by an additional feature
which enables specifying in the document arguments to pass to the
python method (Earlier series only allow a method to be called with no
argument). The bundled python happens to include a method which
executes via os.system one of its arguments, providing a simple route
in 6.1 to execute arbitrary commands via such a crafted document.

In the fixed versions, the relative directory flaw is fixed, and access
is restricted to scripts under the share/Scripts/python,
user/Scripts/python sub-directories of the LibreOffice install

Thanks to Alex Inführ for reporting this issue


--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.