|
|
|||
| Rule General Information |
|---|
| Release Date: | 2019-11-29 | |
| Rule Name: | LibreOffice Macro Python Code Execution Vulnerability (CVE-2019-9851) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6. | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Others | |
| Reference: | http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html http://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execution.html https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851 |