PublicDateAtUSN: 2019-02-04
Candidate: CVE-2018-16858
PublicDate: 2019-03-25 18:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16858
 https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/
 https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
 https://ubuntu.com/security/notices/USN-3883-1
Description:
 It was found that libreoffice before versions 6.0.7 and 6.1.3 was
 vulnerable to a directory traversal attack which could be used to execute
 arbitrary macros bundled with a document. An attacker could craft a
 document, which when opened by LibreOffice, would execute a Python method
 from a script in any arbitrary file system location, specified relative to
 the LibreOffice install location.
Ubuntu-Description: 
Notes: 
Bugs: 
Priority: medium
Discovered-by: Alex Inführ
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libreoffice:
 upstream: https://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-6-0&id=b1c85cdb37a47998f8ab135fbc96f186334b171c (6.0)
upstream_libreoffice: released (6.0.7/6.1.3)
precise/esm_libreoffice: DNE
trusty_libreoffice: released (1:4.2.8-0ubuntu5.5)
trusty/esm_libreoffice: DNE (trusty was released [1:4.2.8-0ubuntu5.5])
xenial_libreoffice: released (1:5.1.6~rc2-0ubuntu1~xenial6)
esm-infra/xenial_libreoffice: released (1:5.1.6~rc2-0ubuntu1~xenial6)
bionic_libreoffice: not-affected (1:6.0.7-0ubuntu0.18.04.2)
cosmic_libreoffice: not-affected (1:6.1.4-0ubuntu0.18.10.1)
devel_libreoffice: not-affected (1:6.1.4-0ubuntu1)