[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tdf-discuss] security related information, CVE-2019-9854, CVE-2019-9855


td;dr: Upgrade to 6.2.7 or 6.3.1

CVE-2019-9854 Unsafe URL assembly flaw in allowed script location check

Protection was added to address CVE-2019-9852, to avoid a directory
traversal attack where scripts in arbitrary locations on the file
system could be executed by employing a URL encoding attack to defeat
the path verification step.

However this protection could be bypassed by taking advantage of a flaw
in how LibreOffice assembled the final script URL location directly
from components of the passed in path as opposed to solely from the
sanitized output of the path verification step.

This flaw is fixed in 6.2.7 and 6.3.1

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854

---

CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows
LibreLogo script execution

When the execution of LibreLogo from scripts was blocked we didn't take
into account that, under Windows, file names longer than eight
characters can be addressed via a compatibility 8.3 filename which
wasn't blocked.

Such paths are now rejected in 6.2.7 and 6.3.1

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855

---

Another change in 6.2.7 and 6.3.1 is that now documents that contain a
call to a script are treated similarly to those that contain macros.

So documents that call a built in shared script in some way will
present the same warning dialog as documents that contain macros.

Shared built-in scripts are demoted from their trusted position and
their execution is controlled under the standard macro execution rules.


--
To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.