Windows 8.3 path equivalence handling flaw allows LibreLogo script execution
Description
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
Affected products
9- osv-coords8 versionspkg:rpm/opensuse/libreoffice&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/libreoffice&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/libreoffice&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP4pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015pkg:rpm/suse/libreoffice&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1
< 6.2.7.1-lp150.2.19.1+ 7 more
- (no CPE)range: < 6.2.7.1-lp150.2.19.1
- (no CPE)range: < 6.2.7.1-lp151.3.6.1
- (no CPE)range: < 7.1.5.2-3.13
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.7.1-43.56.3
- (no CPE)range: < 6.2.7.1-3.24.4
- (no CPE)range: < 6.2.7.1-8.10.1
- Document Foundation/LibreOfficev5Range: 6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.htmlmitrevendor-advisoryx_refsource_SUSE
- www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.