PublicDateAtUSN: 2019-07-16
Candidate: CVE-2019-9848
CRD: 2019-07-16
PublicDate: 2019-07-17 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848
 https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/
 https://ubuntu.com/security/notices/USN-4063-1
Description:
 LibreOffice has a feature where documents can specify that pre-installed
 scripts can be executed on various document events such as mouse-over, etc.
 LibreOffice is typically also bundled with LibreLogo, a programmable turtle
 vector graphics script, which can be manipulated into executing arbitrary
 python commands. By using the document event feature to trigger LibreLogo
 to execute python contained within a document a malicious document could be
 constructed which would execute arbitrary python commands silently without
 warning. In the fixed versions, LibreLogo cannot be called from a document
 event handler. This issue affects: Document Foundation LibreOffice versions
 prior to 6.2.5.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Nils Emmerich and ERNW Research GmbH
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libreoffice:
upstream_libreoffice: released (6.2.5)
precise/esm_libreoffice: DNE
trusty_libreoffice: ignored (out of standard support)
trusty/esm_libreoffice: DNE
xenial_libreoffice: released (1:5.1.6~rc2-0ubuntu1~xenial8)
esm-infra/xenial_libreoffice: released (1:5.1.6~rc2-0ubuntu1~xenial8)
bionic_libreoffice: released (1:6.0.7-0ubuntu0.18.04.8)
cosmic_libreoffice: ignored (reached end-of-life)
disco_libreoffice: released (1:6.2.5-0ubuntu0.19.04.1)
devel_libreoffice: released (1:6.2.5-0ubuntu1)