==================================================================== CERT-Renater Note d'Information No. 2019/VULN255 _____________________________________________________________________ DATE : 02/09/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running LibreOffice versions prior to 6.2.6, 6.3.0. ===================================================================== https://www.libreoffice.org/about-us/security/advisories/cve-2019-9850/ https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/ https://www.libreoffice.org/about-us/security/advisories/cve-2019-9852/ _____________________________________________________________________ CVE-2019-9850 Title: CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution Announced: August 15, 2019 Fixed in: 6.2.6/6.3.0 Description: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. In the fixed versions, script urls are correctly decoded before validation Credits: Thanks to alex (@insertscript) for reporting this issue References: CVE-2019-9850 _____________________________________________________________________ CVE-2019-9851 Title: CVE-2019-9851 LibreLogo global-event script execution Announced: August 15, 2019 Fixed in: 6.2.6/6.3.0 Description: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc In the fixed versions, global script event handlers are validated equivalently to document script event handlers. Credits: Thanks to Gabriel Masei of 1&1 for discovering and reporting this issue References: CVE-2019-9851 _____________________________________________________________________ CVE-2019-9852 Title: CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check Announced: August 15, 2019 Fixed in: 6.2.6/6.3.0 Description: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. Credits: Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue References: CVE-2019-9852 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================