CVE-2019-9848
Description
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Affected products
9- osv-coords8 versionspkg:rpm/opensuse/libreoffice&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/libreoffice&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/libreoffice&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1
< 6.2.6.2-lp150.2.16.1+ 7 more
- (no CPE)range: < 6.2.6.2-lp150.2.16.1
- (no CPE)range: < 6.2.7.1-lp151.3.6.1
- (no CPE)range: < 7.1.5.2-3.13
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.6.2-3.21.1
- (no CPE)range: < 6.2.7.1-8.10.1
- Document Foundation/LibreOfficev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/201908-13mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4063-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.securityfocus.com/bid/109374mitrevdb-entryx_refsource_BID
- lists.debian.org/debian-lts-announce/2019/10/msg00005.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Aug/28mitremailing-listx_refsource_BUGTRAQ
- www.libreoffice.org/about-us/security/advisories/CVE-2019-9848mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.