security related information, CVE-2019-9848, CVE-2019-9849

classic Classic list List threaded Threaded
4 messages Options
Caolán McNamara Caolán McNamara
Reply | Threaded
Open this post in threaded view
|

security related information, CVE-2019-9848, CVE-2019-9849

tl;dr: Upgrade to 6.2.5

CVE-2019-9848: LibreLogo arbitrary script execution

Prior to 6.2.5 it is possible to construct malicious documents which
can execute arbitrary python silently if the LibreLogo script is
installed. LibreLogo is installed by default in the binary builds of
LibreOffice provided by The Document Foundation.

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848


CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode'

LibreOffice has a 'stealth mode' in which only documents from locations
deemed 'trusted' are allowed to retrieve remote resources. This mode is
not the default mode, but can be enabled by users who want to disable
LibreOffice's ability to include remote resources within a document. A
flaw existed where bullet graphics were omitted from this protection
prior to version 6.2.5. Users of this feature should upgrade to 6.2.5

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9849


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
Derek Currie Derek Currie
Reply | Threaded
Open this post in threaded view
|

Re: security related information, CVE-2019-9848, CVE-2019-9849

I've been following this situation closely and advising users about the
workaround for *CVE-2019-9848*.

*Problem:* The Document Foundation has stated that the patch for
CVE-2019-9848 was not entirely effective. I can provide documentation. A
further patch was supposed to be applied in version 6.3.4 this week. And yet
there is no record in the release notes of that patch. Instead, there is an
incorrect listing that CVE-2019-9848 was patched in v6.2.5.2, which has been
published to not be the case.

https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
<https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/>  

This situation is thoroughly confusing users.

I'm continuing to advise users to apply the workaround for CVE-2019-9848.

Please sort this out ASAP.

Thank you.

Derek Currie



--
Sent from: http://document-foundation-mail-archive.969070.n3.nabble.com/Discuss-f1621725.html

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy

Charles-H. Schulz Charles-H. Schulz
Reply | Threaded
Open this post in threaded view
|

Re: security related information, CVE-2019-9848, CVE-2019-9849

Hello Derek,

Le 10 août 2019 06:38:34 GMT+02:00, Derek Currie <[hidden email]> a écrit :

>I've been following this situation closely and advising users about the
>workaround for *CVE-2019-9848*.
>
>*Problem:* The Document Foundation has stated that the patch for
>CVE-2019-9848 was not entirely effective. I can provide documentation.
>A
>further patch was supposed to be applied in version 6.3.4 this week.
>And yet
>there is no record in the release notes of that patch. Instead, there
>is an
>incorrect listing that CVE-2019-9848 was patched in v6.2.5.2, which has
>been
>published to not be the case.


So both MITRE and the Document Foundation are wrong according to you?

Also, 6.3.0/was just released, not 6.3.4, and in my understanding has also the proper patch(es). This is of course a rather dynamic situation that our security team is actively working on.

>
>https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
><https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/>
>
>
>This situation is thoroughly confusing users.
>

I am not sure it is...

>I'm continuing to advise users to apply the workaround for
>CVE-2019-9848.


What workaround? Are you in charge of users in a professional environment?

Thanks,

Charles.

>
>Please sort this out ASAP.
>
>Thank you.
>
>Derek Currie
>
>
>
>--
>Sent from:
>http://document-foundation-mail-archive.969070.n3.nabble.com/Discuss-f1621725.html

--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy
Caolán McNamara Caolán McNamara
Reply | Threaded
Open this post in threaded view
|

Re: security related information, CVE-2019-9848, CVE-2019-9849

In reply to this post by Derek Currie
On Fri, 2019-08-09 at 21:38 -0700, Derek Currie wrote:
> A further patch was supposed to be applied in version
> 6.3.4 this week.
> And yet there is no record in the release notes of that patch.
> Instead, there is an incorrect listing that CVE-2019-9848 was patched
> in v6.2.5.2, which has been published to not be the case.

It is not incorrect to state that CVE-2019-9848 was patched in 6.2.5.2,
but it is fair to state that it turns out the solution is not totally
sufficient and there is an additional problem with the solution.

A new advisory will be issued with a new CVE number for the follow-up
issue when the solution is ready. We're working on making it available.


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.documentfoundation.org/www/discuss/
Privacy Policy: https://www.documentfoundation.org/privacy